On Board: Twelve Questions to Ask (Pt. II)

For the first installment of this two-part series, please visit the original post.

Running a successful operation in today’s complex business environment requires patience, vision and a strong leadership team. The Information Systems Audit & Control Association (ISACA) has released a set of questions geared toward making executive boards the watchdog group they must be to steer the ship and avoid disaster.

Because information security breaches are becoming exponentially more common and more expansive, upper management must learn to be aware of the myriad cyberthreats facing their organization and how to combat them. According to the Ponemon Institute, companies are taking an average of 170 days to detect outside attacks and 259 days for inside threats. Anyone can see that the ratio of time to resolution for cybersecurity incidents is far too long, and outdated security practices may be to blame.

In the first part of this series, six questions were asked as thought exercises designed to make executive leadership think about their organization’s security posture and what could be done to improve on an aging philosophy toward cybersecurity. The list continues with the second six questions to pose:

Communications Pipeline

Maintaining a common language and line of communication between a business’ information security practice and the governing board has always been contentious. Getting executive leadership to see things ‘IT’s way’ is a challenge because it’s sometimes difficult for InfoSec leaders to boil down important information for bite-sized consumption for the board. Working every day to maintain an easy-to-understand status report is something both executive leadership and IT professionals should strive for.

Question to Ask: “Does the board get information from the chief information security officer or equivalent officer who can explain in business and strategic terms the risk and controls approach?”

Disaster Drill

Once a breach is resolved it’s back to business as normal. But this should not be the case in an agile and adaptable enterprise. Taking the time to decompress and document the events and practices leading up to, during and after an incident can greatly benefit the company. Since reports on incidents or drills is useless if not used for process improvement and policy revision, make sure to take advantage of the wealth of knowledge at your disposal to make sure future incidents aren’t as severe.

Question to Ask: “Are business-impact assessments and scenario planning exercises used to document the criticality of business processes and services?”

Enterprise View

In today’s modern business world, it’s nearly impossible to separate IT from daily life, although that’s not necessarily a bad thing. As such, looking at security from sheerly an IT perspective is missing the forest for the trees and is bound to cause problems down the line. An effective board always keeps the whole enterprise in mind when making changes that affect the information security unit.

Question to Ask: “Does the protection program address security in a holistic manner, considering technical risks and incidents that can arise from errors and omissions by internal sources and third parties?”

Open Dialogue

Keeping the lines of communication open between management and staff is essential to the survival of the enterprise, and doubly so in times of crisis. With so much information passing between both parties after an incident, it’s easy to rush and let valuable bits of information slip through the cracks. There needs to be a clear plan for a communication loop, including identifying roles and responsibilities for each employee. In doing so, you will help your board and your security team retain as much contextual information for analysis once the dust has settled.

Question to Ask: “Has a crisis communication capability been implemented and integrated into response planning?”

Covering the Bases

Sometimes people forget to keep certain entities in the loop, which causes problems with entire departments not being in-the-know. Before an important decision comes down from on high, a responsible board considers all stakeholders and the possible implications of a change in their business.

Question to Ask: “Are all stakeholders and their needs identified and considered when developing incident response plans?”

Continuous Improvement

‘What have we learned from all of this?’ is a fairly simple question that too often gets overlooked during incident resolution. By not learning from mistakes and successes, enterprises are doomed to fail over and over again. There’s a reason the saying ‘practice makes perfect’ exists.

Question to Ask: “Has incident response been recently practiced and have lessons learned been used to update and refine the incident response program?”

Asking the important questions above will go a long way toward making sure that the ship is steered in the right direction and has a solid crew during the storm.

Related Articles

Shutdown makes business riskier

Shutdown makes business riskier

Learn how the government shutdown affected business and the countermeasures needed to address the risk to remedy the situation.