Chapter 6

Critical Questions

“Look for people who have lots of great questions. Smart people are the ones who ask the most thoughtful questions, as opposed to thinking they have all the answers. Great questions are a much better indicator of future success than great answers.”

— Ray Dalio, founder of Bridgewater Associates

As technology continues to advance more and more to the cloud and to SaaS, and as the threat landscape evolves, it is essential that boards of directors are aware of emerging risks to their organization and take steps to mitigate them. As previously stated, one of the key ways to do this is by regularly engaging with the organization's Chief Information Security Officer (CISO) to understand the state of the company's cybersecurity posture. Once the CISO is in the room, what do we ask beyond the general “How secure are we?” In this section, we will explore the types of questions that boards should be asking their CISOs and senior technology executives to ensure that their organization is well-protected against cyber threats.

Asking the right Questions

1. What is our overall cybersecurity posture?

Before diving into the details of technical debt, the board should start by asking about the current state of the systems being protected. The first question that boards should ask their CISO and senior technology executives is about the overall cybersecurity posture of the organization. This should include information on the current state of the company's security controls, the effectiveness of these controls, and any gaps or vulnerabilities that have been identified. The CISO and senior technology executives should also provide information on any recent cyberattacks or breaches that have occurred and what steps were taken to mitigate them. The numbers of incidents and metrics from a bounty program – which help find and track the number of security vulnerabilities – are also good indicators of the organization's posture. ected. This includes asking about the age and version of software, the number of patches and upgrades required, and the overall state of the technology infrastructure.

2. What are our most critical assets, and how are they protected?

Another important question boards should ask is about the organization's most critical assets and how they are protected. We love this question because it connects the three most strategic elements: (1) business operations,​ (2) the state of the technology and the most critical data that powers the enterprise;​ (3) the security capabilities to monitor, detect, prevent, and alert.​ This includes information on the types of data and systems that the organization relies on, the level of access that different users have to these assets, and the controls in place to protect them. The CISO and senior technology executives should also provide information on any recent vulnerabilities or threats that have been identified and the steps that have been taken to address them. As part of the question, understand the nature and impact of any tech debt, and whether it has come about from a legacy application or a recent acquisition.

3. How are we addressing emerging threats?

As the cybersecurity threat landscape continues to evolve, it is critical for organizations to stay ahead of emerging threats. To accomplish this, boards must actively engage with their CISO and senior technology executives to inquire about the measures being taken to proactively address new and emerging threats. This includes seeking information on any new technologies or approaches being adopted, as well as any employee training or awareness programs being implemented to promote safe online practices.

Ransomware: A Critical Threat

Ransomware is a type of malicious software (malware) that encrypts a victim's data, effectively locking them out of their own files or systems. The attacker then demands a ransom, usually in the form of cryptocurrency, in exchange for the decryption key needed to regain access to the data. Ransomware attacks have become increasingly prevalent, with numerous variants and iterations posing a severe threat to businesses worldwide. These attacks put boards in a challenging position, as they must make difficult decisions in response to such incidents. For example, the FBI discourages paying the ransom in response to a ransomware attack. However, boards must weigh the potential consequences of not paying the ransom, such as the loss of critical data or prolonged operational disruptions, against the ethical considerations of giving in to extortion.

This complex situation highlights the urgent need for companies to understand evolving threats and make the necessary investments to protect their operations. Some issues, such as ransomware attacks, may require immediate attention and cannot wait for board meetings. By proactively addressing emerging threats like ransomware, organizations can position themselves to effectively respond to new challenges, minimize the risk of data breaches, and maintain the trust of their stakeholders. To successfully navigate the complexities of ransomware attacks, boards should foster a culture of cybersecurity awareness, invest in robust security measures, and develop comprehensive incident response plans. This proactive approach can help organizations minimize the impact of ransomware attacks and ensure they are better prepared to make informed decisions when faced with such incidents.

4. How are we measuring the effectiveness of our cybersecurity controls?

Another important question for boards to ask is how the organization is measuring the effectiveness of its cybersecurity controls. This should include information on the metrics that are being used to evaluate the performance of different security controls and the results that have been achieved. The CISO and senior technology executives should also provide information on any recent audits or assessments that have been conducted and the results that have been achieved. We recognize there is no standard way to measure effectiveness, it is important to use benchmarks as well as many data points to help us triangulate the overall effectiveness.

5. How are we preparing for potential breaches?

Boards should ask their CISO and senior technology executives about the steps that the organization is taking to prepare for potential breaches. This should include information on the incident response plan that is in place and the steps that have been taken to test and validate it. The CISO and senior technology executives should also provide information on any recent simulations or exercises that have been conducted and the results that have been achieved. Due to the ransomware attacks on the rise, the ability to fully recover from data loss is a vital part of an incident response. How often are these controls tested, and can the organization fully recover from a complete loss of its systems?

6. Ask the CISO or Tech Executive: “What is the one thing we can do to help you?”

Finally, boards should ask their CISO and senior technology executives to share one thing they need in terms of support from the board. Listen carefully to what is said and also not said. Is the CISO struggling to get support and cooperation from the executive team? Is the CISO feeling all alone and with many open vulnerabilities that other departments are not taking seriously? Are business leaders “accepting risks” they don’t fully understand? By asking the question, the board is communicating their support for the CISO as a person who might be feeling overwhelmed by the number of threats, and not having enough support to do anything about it.

Cybersecurity governance is a critical aspect of any modern business, and dialogue with the board of directors plays a vital role in ensuring that the organization is well-protected against cyber threats. By regularly engaging with their CISO and senior technology executives, boards can gain a better understanding of the organization's cybersecurity posture and take steps to mitigate any risks that have been identified. The questions outlined in this chapter provide a good starting point for boards to begin their engagement with their CISO and senior technology executives and to ensure that their organization is well-protected against cyber threats. The ability to engage with candor is of paramount importance for the CISO and other senior executives. Encouraging honest conversations about cyber risks can lead to more effective decision-making and risk mitigation strategies.

Some of key reasons why candid communication is essential in cybersecurity governance:

  • Identifying the right problems:​ Open communication allows the CISO and other executives to raise concerns about the most pressing cybersecurity issues facing the organization. By highlighting these risks, the board can prioritize resources and efforts towards addressing the most critical vulnerabilities.
  • Promoting trust and collaboration:​ When the CISO and senior technology executives can openly discuss risks without fear of reprisal or blame, it fosters a culture of trust and collaboration. This atmosphere enables the board and the C-Suite to work together effectively to develop and implement comprehensive cybersecurity strategies.
  • Informed decision-making:​ Candid communication about known risks helps the board make informed decisions regarding cybersecurity investments, policies, and procedures. This understanding allows the board to allocate resources more effectively and prioritize initiatives that will have the most significant impact on the organization's security posture.
  • Enhancing stakeholder confidence:​ Transparent and open communication about cyber risks and the steps being taken to address them can help build stakeholder confidence in the organization's commitment to cybersecurity.

In summary, candid and open communication between the CISO, senior technology executives, and the board of directors is crucial for effective cybersecurity governance. The questions outlined in this chapter serve as a valuable starting point for boards to engage with their CISO and senior technology executives, ensuring that their organizations are well-protected against cyber threats. By fostering an environment of candor, organizations can more effectively identify and address the most pressing cybersecurity risks, ultimately safeguarding their reputation, financial stability, and overall business success.

Chapters