Top 10 Questions All Boards Should Ask Their CISOs

How much will the company lose in one day if operations are shut down by a ransomware attack? What are the chances of that happening based on current cyber maturity? When CISOs (Chief Information Security Officers) begin cybersecurity board discussions with financial exposure analysis based on real data from their company’s quarterly earnings and operating budget, a light bulb switches on and brightens the room. The Board quickly understands the impact because CISOs are speaking their language.  

When trying to address cyber risk and how it aligns with the company’s strategic goals, communication challenges are no different at the highest levels of the company, especially between the CISO, the CEO, and/or the Board of Directors. Here are 10 questions Board members want CISOs to know and address at board meetings in a language they understand: numbers and percentages backed by industry data.

1. What are you doing to protect the company and shareholder investments? We need to avoid becoming a headline. What keeps me up at night? Headlines! Especially those that result in stock plunges.

2. What’s our roadmap for cybersecurity? I need to see a plan that is supported by metrics with a clear path to measure, prioritize, and track resources to show value and ROI over time. Where are we now and where do we need to be? How are we getting there? Show—don’t tell—me the way!

3. What’s our plan to defend against the latest emerging threats? What’s the next SolarWinds? How do we know we are safe when a backdoor to the network can be opened through a trusted software update and missed by many? We need threat intelligence that aggregates and analyzes cyber risk to inform our strategy.

4. How can you provide a fact-based assessment of our organization’s cyber risks and track how it changes over time with the latest threats? I need for you to articulate the risk reducing value of the company’s cybersecurity program through  reporting that tells us what it means to our business.  

5. How does our cyber risk impact our business risk? We need to capture changes in the cyber threat landscape and align them with our own unique business profile. Are all divisions and operating segments adequately prepared? Is so, to what degree? Where and how can we improve our risk management strategy to support our business objectives?  

6. What will be the ROI if we approve this cybersecurity investment? How much can we save by implementing this cybersecurity tool? Can you show me in dollars how much we could lose if we don’t? How will the ROI for this investment grow over time? Numbers tell a stronger story.

7. Can you put a dollar amount on our risk? What do we stand to lose? Do we need to mitigate or transfer the risk? I need a very good risk calculator in terms of dollar signs. I want to understand our cyber strategy in financial terms.

8. How can we avoid major penalties and lawsuits? I don’t want to find out about a potential vulnerability when it is too late. Tell it like it is. We need a mitigation strategy that is shared and adopted by all business divisions so no one must stand alone.

9. How can we avoid the reputational damage of a breach? Trust in our brand is the foundation of our business. We work every day to build it. All it takes is one wrong click in a phishing email by any employee in the company to unravel and destroy years of hard work. Identify the weakest link, assess the risk, and create a shared mitigation plan.

10. How does our risk and cybersecurity strategy compare to our peers? Like many of our competitors, we have adopted the NIST Framework and ensure we are compliant for security reporting. We have invested in cybersecurity tools, run vulnerability scans, and preach through training the importance of staying vigilant against threats every day.

But there is a way to get ahead of our peers by bringing this all together through a reporting system that measures, prioritizes, mitigates, and tracks risk for all company assets. The output of these reports leads to better discussions in the boardroom that affect, direct, and align business strategy.  

How can you improve communication between the Board and CISOs for alignment to manage cyber risk effectively? The National Association of Corporate Director’s (NACD) endorses X-Analytics as the preferred boardroom cyber risk reporting solution for their over 23,000 members. X-Analytics provides a living cyber and governance program that operates from day one at the speed of their business. Engage business leaders in the language they understand. Start today by scheduling a demo to answer questions and see how X-Analytics can transform your business by assigning dollars to risk.

‍