Questions Boards Should Ask

cybersecurity risk management smallbusiness Aug 12, 2022

The challenge for directors or investors is determining the organizational overall cybersecurity maturity relative to the risk. The board of directors, in particular, has an oversight problem to solve, not a management problem.

To quickly explore organizational thinking and cybersecurity management, here are five questions to get the discussion started in the effort to provide oversight and due diligence.

What do you perceive as your cybersecurity risk?
The answer to this question provides a view into the organizational thinking about cybersecurity risk management practices. Does the organization has a technical view of cybersecurity or a mission-based approach to risk management?

How are you managing this risk?
This question takes it to the next level to examine the organizational thinking and alignment to support cybersecurity risk mitigation. The answer will provide insight into the enterprise cybersecurity risk management program.

How are you measuring the reduction of cybersecurity risk?
This question will evoke several measures and metrics; however, from an oversight perspective, you will be looking for risk reduction metrics rather than risk monitoring. Additionally, observe what the organization measures in cybersecurity; this indicates how they view the security problem.

Who owns cybersecurity risk management within the organization?
This is a simple roles and responsibilities question; when it comes to cybersecurity, who has the lead? First of all, “everyone” is not an answer; from an oversight perspective, you should know that everyone equals “no one.”

How are you prepared to respond to a cybersecurity incident?
Arguably, the previous four questions led us here. Here you are questioning the readiness if an incident were to occur. How an organization responds to a cybersecurity incident can increase or decrease the severity of that incident.

The answer to these questions will provide you with a sense of how the organization addresses cybersecurity risk in a non-technical manner.

*** FREE GUIDE ***


Author: Dr. Bill Souza | Aug 11, 2022 


Want Helpful Cyber Risk Tips Every Week?


You're safe with me. I'll never spam you or sell your contact info.