Boards of directors are increasingly paying more attention to IT security, and for good reason. They may personally be on the hook for liability should there be a data breach or major business disruption.
So CISOs should be prepared to face tough questions. A recent column by Christophe Veltsos, associate professor in the department of computer information science at Minnesota State University, outlined what boards should be looking for. Although it’s aimed at directors — and board members reading this piece should also — CISOs should keep in mind questions like these are what they may run into:
- Are profit-generating assets adequately secured?
- How well-protected is high-value information?
- Is the organization’s cybersecurity strategy aligned with its business objectives?
- How is the effectiveness of the cybersecurity program measured?
- Is the organization spending appropriately on security priorities?
- Would the organization be able to detect a breach?
- Does the cybersecurity area have access to adequate resources?
- How does the organization’s security program compare to that of its peers?
Veltsos quotes a security publication advising directors to look at cyber risks “with a vigorous, skeptical, intelligent and methodical inquiry.” CISOs have been warned.