The seven questions any director should ask about cybersecurity regularly

In this article GUBERNA , and in particular the sounding board committee of cybersecurity , offer seven questions to ask to help you as director understand how cybersecurity is being managed in the organisation. Just asking these seven questions will also raise awareness of the importance of cybersecurity and the need to prioritise actions.

1. What is the current cybersecurity strategy of the organisation?

Cybersecurity is about protecting data, processes, people (employees and customers), systems and networks from digital risks. Understanding the current cybersecurity strategy is crucial for directors of an organization for several reasons.

First of all, directors need to know which ‘crown jewels’ in their organisation are protected like data, intellectual property and financial assets. A strong cybersecurity strategy helps safeguard these critical assets. There is no such thing as 100% security and thus choices must be made. Directors must ensure the organisation’s most important assets are secure at the highest reasonable level. What is being protected and what needs to be protected is an essential part of any cybersecurity strategy. If there is no agreement on what to protect, the rest of the cybersecurity strategy is pointless.

Secondly, directors must know how relevant laws and regulations such as GDPR, NIS2, DORA, CRA, Data Act and others are implemented to avoid legal penalties and breaches from non-compliance.  Compliance breaches can damage the organisation’s reputation and can hold directors personally liable. A robust cybersecurity strategy demonstrates due diligence.

Thirdly, directors must review the allocation of appropriate budgets for cybersecurity initiatives. Again, there is not enough time, money and resources to be 100% secure, but since a budget must be set, it is crucial that organisations have an excellent security team with the appropriate expertise to tackle security topics and understand cyber vulnerabilities inside the core critical functions of the business. Risk based approach is a key. Only then will the organisation be better prepared to allocate investment where it is most needed. The cybersecurity strategy will help making informed financial decisions in line with the organisation's goals and risk appetite whilst at the same time support new technologies and initiatives in a secure manner (like blockchain, smart contracts, AI, etc.).

Finally, a director in the board is accountable for the organisation’s overall governance, including cybersecurity. Understanding the cybersecurity strategy promotes transparency and accountability within the organisation.

2. What are the top 5 risks and countermeasures for the organisation regarding cybersecurity?

Directors are responsible for overseeing the organisation’s risk management practices. It is crucial for directors to know the top cybersecurity risks and countermeasures to effectively manage risks, to prioritise resources and attention on the most significant threats, to help them in developing and implementing effective countermeasures to mitigate potential impacts, to make strategic decisions taking into account potential cybersecurity impacts, ensure legal and regulatory compliance, protect the organisation's reputation, uphold accountability, foster a security culture, enabling safe adoption of new technologies, to prevent cyber incidents that could damage the organisation’s reputation and to respond swiftly and effectively in the event of a cyber incident. This comprehensive understanding empowers the board directors to safeguard the organisation against the evolving landscape of cyber threats and can prevent costly breaches and avoid fines and sanctions related to cybersecurity incidents.

Directors’ understanding of cybersecurity risks sets a tone at the top, emphasizing the importance of cybersecurity throughout the organisation. 

1

3. How are employees made aware of their role and trained regarding cybersecurity?

Directors must understand how employees are trained for cybersecurity awareness because the human element is critical in cybersecurity. Effective training enhances the organisation's security posture, mitigates risks, ensures regulatory compliance, provides financial benefits, protects the organisation’s reputation, fosters a security-conscious culture, and prepares employees for effective crisis response. This understanding empowers the board to support and promote robust security awareness programs, thereby strengthening the overall security of the organisation.  Directors should check how security roles and responsibilities are communicated to all employees, such as internal communications like newsletters and intranet updates. Directors should verify if cybersecurity training programs include mandatory onboarding and annual refresher courses. Regular real life phishing simulations and tabletop exercises should also be sent to directors for participation.

4. How are external partners/suppliers assessed in terms of cybersecurity and which 5 have access to the most sensitive data & systems?

Critical suppliers provide essential services or products. Suppliers often have access to sensitive data and systems. A breach at a supplier can lead to a breach which can compromise the security of and disrupt the entire organisation, and thus can lead to negative publicity and loss of customer trust. Directors must inquire about the security maturity of critical suppliers to manage supply chain risks, ensure regulatory compliance, protect sensitive data and intellectual property, maintain business continuity even during cyber incidents, safeguard financial stability, protect the organisation's reputation, fulfil contractual obligations, avoid legal exposure, and make informed strategic decisions. Understanding suppliers’ security maturity is another crucial element for the overall security and resilience of the organisation thus reducing the risk of supply chain disruptions. 

Many regulations but also many contracts mandate that organisations ensure their suppliers meet specific security standards. Non-compliance can result in fines and legal issues. Organisations may face increased insurance premiums and liability if their suppliers lack adequate security measures. Knowing the security maturity of suppliers demonstrates due diligence during regulatory audits. Suppliers with mature security practices are more resilient and better prepared to handle and recover from security incidents. Awareness of suppliers’ security maturity informs decisions about partnerships and investments. It enables directors to adopt a risk-based approach to managing supplier relationships, prioritising those with robust security measures.

Identifying the top five partners or suppliers with access to sensitive data and systems is necessary. These typically include cloud service providers, managed security service providers (MSSPs), IT infrastructure vendors, third-party developers, and consulting firms.

5. How is cybersecurity embedded in corporate programmes / projects?

Directors should ensure that cybersecurity is embedded in corporate programs for several reasons. By integrating cybersecurity into corporate programs, they manage risks effectively, comply with legal requirements, protect the organisation’s reputation, ensure operational continuity, gain competitive advantage, and fulfil their strategic governance responsibilities. Directors can be held liable for failing to implement adequate cybersecurity measures, which could lead to lawsuits and reputational damage. Including cybersecurity in corporate programs ensures that it is integrated into the overall risk management strategy, aligning with business objectives.

2

6. How frequently is the cybersecurity KPI dashboard updated and presented?

Traditional board dashboard along with budget follow up is equally relevant in cybersecurity as they are in strategic, operations or financial management and these are not technical. A director should know how executive management is informed on the evolution and the current state of cybersecurity in the organisation. Does a cybersecurity dashboard exist with Key Performance Indicators (KPIs) and Key Risk Indicators (KRI's) which allows for a comprehensive oversight, informed decision-making and proactive risk management. How frequently is that cybersecurity dashboard updated and presented to executive management?  What metrics are included in the cybersecurity dashboard (does it contain the number of cybersecurity incidents, cybersecurity compliance status, security awareness results, security training completion rates, vulnerability assessment results, phishing click rate, etc.)?  Are results and actions from cybersecurity audits included in the cybersecurity dashboard?

7. How will the organisation respond in case of a serious cyber incident/crisis and how many times is this already rehearsed?

Although a director is not likely to be part of a detailed response plan, a director wants to be sure that there is a plan with a clear “owner” and that it has been tested with a cyber incident in mind. Which executives and leaders are part of the plan? What is their role? What are the communications plans (if systems are breached or unreliable, how will the organisation communicate?). Who alerts authorities? Which authorities are alerted? Who talks to the employees / the press / the customers / the suppliers? If a ransom is sought, what is the policy about paying it? 

It Is also helpful for a director to know what his/her role will be during a cyber Incident and to practice it. Is the board’s role to be available for emergency meetings with executives to make just-in-time decisions? It is unlikely any response plan will be executed exactly as documented, but fire drills, tabletop exercises and full-scale simulations to review and finetune the response plan helps ensure preparedness and resilience against digital threats. It is essential that relevant cyber scenarios are part of the operational resilience solutions and response plan.

Conclusion

Directors as members of the board have a unique role in helping their organisations manage cybersecurity risks proactively. Directors do have oversight and fiduciary responsibility and thus should not leave any question about critical cyber vulnerabilities for when it is too late. Getting satisfactory answers to these seven questions regularly at board meetings might prevent a cybersecurity incident or breach from becoming a total disaster for the organisation. When was the last time you had answers to these seven questions at a board meeting?

For any comments, questions, queries on cybersecurity issues, you can get in touch with Sounding Board committee members here.