The most common question board directors ask their cybersecurity chiefs is often inadequate for today’s security landscape, Phil Ferraro, former CISO at Las Vegas Sands, told the Wall Street Journal. Too often, boards will ask cybersecurity chiefs if their company is vulnerable to a breach like the ones that occurred at Target, Anthem or the Office of Personnel Management. Such questions, Mr. Ferraro said, are too simplistic for today’s environment. “Directors don’t understand that no security is ever perfect,” he said.
Instead, Mr. Ferraro suggested boards ask questions about specific events and risks within the company. Guidance from the National Association of Corporate Directors suggests the same, according to the WSJ, including questions on how CISOs measure their teams and technology and whether they keep continuous contact with the FBI and other law enforcement agencies.
Instead of asking if companies are vulnerable, Mr. Ferraro said it is more productive to discuss actionable ways to decrease the risk of attack and how to manage one in the event that a breach occurs.
Here are six key questions directors should ask cybersecurity chiefs, from NACD.
- What was our most significant cybersecurity incident in the past quarter? What was our response?
- What was our most significant near miss? How was it discovered?
- How do we evaluate the performance of the security team?
- Do you have relationships with law enforcement?
- Do you work with business leaders on due diligence of acquisition targets and with supply chain leaders on security protocols of vendors and partners?
- What process is in place to ensure you can provide quick, comprehensive disclosure of cybersecurity deficiencies?
More articles on cybersecurity:
For healthcare companies, data security is a critical test
5 best cybersecurity practices from a CIO roundtable
More CIOs could face legal consequences following data breaches
