Boards of directors have improved their knowledge and are better equipped to question the security measures used by their firms. Due to the requirement to realize technological aspirations in the face of increased cybersecurity concerns for distributed teams, they are engaging in deeper and more sophisticated conversations with risk and security professionals. They won't bother asking questions such as "How protected are we?" because of this. With X having been authorized only last year, why do we now need even more money for security? Are you saying that we were attacked a hundred times? On the contrary, directors will be far more targeted in their questions.
Trust among business executives and technology leaders is frequently broken as a result of risk and security management professionals' inability to react to board inquiries framed by media reporting.
Your job is to be ready with answers that will steer the conversation toward reassurance, accountability, and appreciation for security procedures. Boards, as a whole, are concerned with three issues outside the scope of individual interests and concerns.
Earnings: Including operational and non-operating, and the promotion of non-revenue stated objectives
Value: Present savings and reduced costs in the long run
Risk: Financial, Economic, Legal, Security, New Product Development, and Reputational Risk
The five types of board questions are as follows.
Question Of Incidence
What it means: "Why did this occur? To be honest, I believed you had this situation under control. So what went wrong, exactly?"
Reason for asking: When an event has happened and the board is aware of it or is being informed of it by CISO, these inquiries are natural follow-ups.
Now, when many workers are doing work from home and the board may have security-related worries, this is more important than ever. These concerns may also arise in the wake of any other catastrophe, such as a data breach that can have far-reaching consequences for the company.
How to answer: An event (of any kind) will occur, thus it's best to concentrate on the details while responding. Talk about what you already understand and what you're doing to learn what you don't. To sum up, you should admit that an event has occurred, explain how it will affect the company, point out any problems that still need fixing, and offer solutions.
When presenting before the board, be careful not to favour any one alternative as the best. While the security leader is ultimately responsible for monitoring security and danger, responsibility must always be established at the board or executive level at all times.
Question Relating To Trade-Off
What it means: "Are we completely safe? Have you double-checked that?"
Reasons for asking: It's common to hear questions like these from members of the board who aren't familiar with the full scope of security's influence on a company. No one can ever feel completely safe or secure. Your job is to figure out where the biggest dangers are and then use whatever limited resources you have toward mitigating those risks, taking into account the level of risk tolerance of the company as a whole.
How to answer: The best way to reply is to say something along the lines of, "Given the dynamic nature of the dangerous environment, it's difficult to completely secure the data from all potential threats. Controls for risk management are something I am responsible for implementing. Our company is expanding, therefore we need to reevaluate how much risk we can afford. Our objective is to develop a long-term system that strikes a harmony between security and the needs of the organization."
Question Of Landscape
What it means: "How awful is it out there? Where do we stand with the events at firm X? I'm curious about how we stack up against the competition."
Reasons for asking: Directors must be able to assess risks in the face of threat reports, publications, blogs, and increased regulation. They are perpetually curious about the activities of other groups, particularly those with whom they are comparable. They're curious about the "climate" and how they stack up against the competition.
How to answer: Do not comment on the reason for a security event at another organization; instead, offer to follow up with the concerned party once further information is obtained. The identification of a comparable flaw and the revision of plans for business continuity are two examples of the kinds of broad security responses you may want to address.
Question Of Risk
What it means: Are we aware of the dangers we face? What security problems keep you awake at night?
Reasons for asking: Taking risks is optional (if the board doesn't recognise this, you have a problem on your hands). They expect assurance that the business's risks are being managed, therefore be prepared to justify risk management choices by outlining the level of risk an organization is willing to take.
How to Reply: In describing the results of risk management choices for the company, be careful to back up your claims with data. The board's tolerance for risk is a critical consideration in the second phase. Whenever the level of danger approaches the barrier, action must be taken to bring it back down to an acceptable level. However, this doesn't need sudden, drastic adjustments; proceed with caution.
However, this doesn't need sudden, drastic adjustments; proceed with caution.
The board wants reassurances that you're taking care of the big risks, and they recognise that sometimes a more subtle, long-term strategy is the best way to go. Keep in mind that the board is ultimately responsible for "enterprise" risk, of which cyber risk is just a subset. Require yourself that you be succinct and to the point. There is no danger in not knowing what the next major threat will be. Rather than worrying about things out of your control, such as the theft of intellectual property or the imposition of regulations, give your attention to the things you can influence.
Question Of Performance
What it means: Just as it sounds, this question asks whether our current allocation of resources is sufficient. Should we increase our spending? When did spending become so important?
Reason for asking: The board needs to know that those in charge of security and risk management are moving the needle in terms of KPIs and return on investment, so they ask these kinds of questions.
How to Reply: Try out the simplified traffic-light system of the balanced scorecard method. Business goals and how well the company has done in meeting those goals should be communicated at the highest level. Any discussion of goals should focus on expected commercial outcomes rather than on the underlying technology. A series of objective standards are used to assess a range of security measures that underlie effectiveness.
As a Security Officer in a company, it is your responsibility to take care of the different aspects relating to cybersecurity in your company. It is also your duty and responsibility to answer to different stakeholders regarding the same. We hope our list of the top 5 questions gave you some insight to help you answer the same in front of your board.