On Board: Twelve Questions to Ask (Pt. I)

Running a successful operation in today’s complex business environment requires patience, vision and a strong leadership team. The Information Systems Audit & Control Association (ISACA) has released a set of questions geared toward making executive boards the watchdog group they must be to steer the ship and avoid disaster.

Because information security breaches are becoming exponentially more common and more expansive, upper management must learn to be aware of the myriad cyberthreats facing their organization and how to combat them. According to the Ponemon Institute, companies are taking an average of 170 days to detect outside attacks and 259 days for inside threats. Anyone can see that the ratio of time to resolution for cybersecurity incidents is far too long, and outdated security practices may be to blame.

Designed as thought exercises, these questions are posed to make executive leadership think about their organization’s security posture and what could be done to improve on an aging philosophy toward cybersecurity:

Unusual Occurrences
One of the many ways cybersecurity incidents are found is through constant monitoring at an enterprise level. What information security officers look for are indications that a pattern has been broken and something is amiss. Establishing a baseline for normal activity based on predictive analytics and closely watching trends in access and information management is the key for successfully identifying intrusions.

Question to Ask: “Are detection capabilities sufficient to identify anomalies that could indicate a cyber-intrusion or attack?”

Uninterrupted Operations
For companies that stand to lose millions of dollars for every hour of server downtime, taking customer or client facing assets offline is a nightmare scenario. The ability to recover from an information security breach quickly and efficiently in timed mock exercises is one of the best ways to ensure continuity of the business and minimize significant interruptions during a real attack. Additionally, studying the results of disaster recovery drills can help expose any holes or weak spots in recovery plans.

Question to Ask: “Is sufficient attention given to the ability to defend against intrusions, as well as the ability to recover and restore essential functions and services?”

Reputational Consideration
Board members know the brand is the business. When it comes to brand management, it’s important to keep the concept of Murphy’s Law in mind; the notion that anything that can happen eventually will. Being aware and mindful of all potential threats to the business can help board executives respond more favorably. As the old adage states: Better the devil you know than the devil you don’t.

Question to Ask: “Is the board routinely informed about the potential material operational risk and risk mitigation strategies, as well as incidents that could impact the brand?”

Learning Curve
Staying educated and informed on the latest concepts and trends in information security is essential when cybersecurity breaches occur every day, each with greater size and frequency than the last. Attending webinars and conferences with a focus on information security at least once a quarter and presenting findings to fellow board members is a solid strategy to stay up to date.

Question to Ask: “Is the board equipped with the right competencies to understand cyber-related risks and determine if management is taking appropriate action?”

Up to Speed
Things can change very quickly in modern enterprises, particularly in ones that treat individual business units almost like separate companies. As such, many departments will have their own software and hardware tools to handle various responsibilities and roles. With those pieces of technology comes unique vulnerabilities. It’s the responsibility of all board members to be aware of the risks associated with the technology their subordinates manage. Knowing this is essential to understanding the implications associated with any decisions related to those technologies.

Question to Ask: “Is the board sufficiently informed about changes to the business’ use of technology and associated operational risks to exercise its responsibility?”

Symbiotic Relationship
Understanding the degree to which information security intersects with day-to-day operations is key to making the best possible decisions for the business. If anything, board members should be doing everything in their power to make sure that departments outside of information security understand the gravity of their everyday responsibilities with respect to the IS posture of the enterprise.

Question to Ask: “To what extent do information and cyber-security programs align with business requirements?”

For more questions to ask, please tune in next week for the second part of this series.

Related Articles

Shutdown makes business riskier

Shutdown makes business riskier

Learn how the government shutdown affected business and the countermeasures needed to address the risk to remedy the situation.