In recent times Cyber Security has become one of the top areas of concern for the board and the CEO. Several high profile breaches coming in news with CEOs, CISOs, CIOs getting fired it is indeed one of the worries for the management and the Board.
I have done a loosely defined survey with some of the CEOs and CISOs and added a bit of my own personal prejudice in terms of selecting some of the questions which I found to be frequent, interesting and also meaningful.
Here’s the list of top questions:
Metrics that the Board / CEOs “DO NOT” Ask
- The web is littered with security metrics for the board which includes MTD, MTR, Patching Cycle and all our nice security metrics. Rarely you will be fortunate to get a security savvy board member of such order. If you have one – congratulations !
- Their questions are generally much simpler. Or it might be much more difficult. Simple questions sometimes may be much harder to answer.
Top 10 Questions Board / CEOs Ask
- Are we secure? How can we know if we are secure?
- Do we know how we compare to peers within our industry?
- How effective is our security program?
- Have we been breached in the past? What did you learn?
- How do we know if we have NOT been hacked?
- How will you prevent breaches from happening in the future?
- Is our investment in cybersecurity going towards the right priorities?
- How confident are you that we will not make newspaper headlines for the wrong reasons?
- Are we spending the right amount on our cybersecurity program?
- Do we have cyber insurance? How much coverage do we need?
Understanding these questions can help CISOs communicate more clearly with the board and align cyber security initiatives from the business perspective.