Icebergs Ahead: Five Questions Every Board Should Ask the CISO
Picture this: Your chief information security officer (CISO) has arrived at the board meeting to give a rundown on your bank’s latest efforts to mitigate cyber risk. You’d like to take an active role in data governance (kudos for that!), but what are you supposed to ask? You’re not a cyber security expert.
In fact, many board members may not understand everything that the CISO’s role entails or the specifics of how the CISO’s responsibilities differ from those of the CIO and CTO. Whereas CIOs and CTOs make the technology work, CISOs identify and manage technology-related threats to the bank’s operations or reputation. They must obtain a 360-degree view of the threats and how much they might end up costing the organization, as well as the costs of reducing the probability of a cyber-attack to an acceptable level.
Given the prevalence of security breaches and the scope and magnitude of the consequences, getting “up close and personal” with your CISO shouldn’t require a chance encounter in the elevator. You should demand direct access to the CISO on a formal—and regular—basis.
But that doesn’t mean you need to dig into the technical details about risks and mitigation plans. By asking a set of high-level questions, you can gather information that positions you to be an active participant in key strategic decisions relating to information security:
1. What are the top information-security threats facing your bank? These are the “icebergs” that have the potential to severely damage the bank’s viability. Theft of data often grabs the headlines, but cyber attacks are alarmingly diverse. Other potential threats include a “denial of service” attack that could stop your bank from operating its business, as well as malware injection and phishing, to name just a few.
2. For each of these major threats, what are your bank’s mitigation strategies and the costs for executing them? Find out how the information security team plans to reduce these threats to a tolerable level and ensure that the costs of mitigation don’t outweigh the expected benefits. The CISO should also be able to explain how the team monitors the performance of the mitigation actions.
3. How frequently does your company reevaluate previously identified risks and seek to identify new ones? The information security team should never assume that it knows all the major threats or is mitigating them effectively. Ensure that the team re-evaluates which icebergs are out there at least annually, and then examines whether its mitigation strategies are still effective.
4. What is the crisis response plan when risk management fails? It’s a question of when, not if, your bank will experience some form of a cyber attack. How it responds will make a huge difference in terms of both financial and reputational damage. The CISO should be able to present a few slides that summarize the response plan for the top-three threat scenarios. Make sure the information security team is applying lessons from previous incidents that occurred at your bank and as well as at other banks in their efforts to aggressively manage the potential fallout from attacks.
5. To what extent are the budgets for technology spending and security spending aligned and proportionately scaled? Security spending should grow proportionately with technology spending. You don’t want your technology infrastructure to grow faster than the information security team’s ability to mitigate the risks. Ensure that the team has the resources it needs to keep pace.
Remember, you don’t have to be a cybersecurity expert to talk to the CISO. If the discussion strays into the technical weeds, steer the CISO back to business issues. The same common sense principles and risk-versus-reward assessments that drive discussions when you’re planning a merger or acquisition are just as helpful if you’re talking about information security risks with your CISO.