Congratulations! You’re on the Board or perhaps the audit committee. You know you’re responsible for cybersecurity and technology risk, but you’re also juggling many other responsibilities. Cybersecurity, technology, AI, and related topics can quickly become complex and daunting. Conversations often end with dire warnings or significant budget requests—sometimes both. The challenge is understanding what these requests are for and what the consequences are if you don’t fund them.
Here are five key questions to ask about cybersecurity:
1. Do we know what our systems are, what they do, and what components are used to build them?
To secure something, you need to know what it is. Ensure you have a comprehensive list of systems or services and their components, including software, hardware, data, and third-party services. This is your system ‘architecture.’
Note: You don't need to verify this personally. Just confirm its existence and consider having it checked by a consultant or audit team.
2. Have we prioritised the parts of our business that need more or less security?
Trying to secure everything equally is impractical and expensive. Prioritise security based on the sensitivity of the information. For example, customer and employee data require more security than non-sensitive information like details of a past company event.
Note: This assessment should be presented clearly to you. It defines what’s important and what isn’t, which is a Board decision.
3. Are our security rules clear and documented?
A base set of security rules should be in place, such as an information security policy. Ensure this policy has been presented to you. These rules should cover people, processes, and technology. Additionally, there should be more specific rules for securing highly sensitive information.
4. Do we know how well our rules are applied?
Understanding what to protect, its importance, and the applicable rules is crucial. You need to know if these rules are enforced. This can be determined through internal compliance checks, penetration testing, internal audits, or external audits. Ensure this information is presented to you in a straightforward manner.
5. Have we suffered any issues?
Whether large or small, any security issues should be reported to you. Understand what has happened and what measures are being taken to prevent future incidents.
Conclusion
These questions are simple but essential for driving your security program and fulfilling your responsibilities. You might get clear and immediate answers, which is a good start, but don’t be surprised if you don’t. Whenever complexity arises, bring the discussion back to these basic questions. Implementing actions based on these questions might be complex, but that’s why you have specialists. The questions themselves remain straightforward.
Keywords
- Third-party assurance
- Supply chain cyber risk
- SME cybersecurity