6 Questions Every Board Should Ask Their CISO

Cybersecurity awareness and preparedness

To help their organization stay secure and competitive, the Board of Directors (BoD) must develop better cybersecurity awareness and preparedness. If you are a Board member, consider leaning on your Chief Information Security Officer (CISO) to help you establish a security-first mindset and stay informed on emerging threats and cybersecurity trends. Start the discussion by asking these six key questions of your CISO.

1. Who owns security?

Having a culture of ownership that prioritizes security can play a major role in reducing the organization’s cyber risk. Consider whether it’s clear to the entire organization that security is a business imperative. Is there a sense of ownership for security in every employee, regardless of role? Does leadership reinforce a culture of security by making security-driven decisions?

► Watch now: Who Owns What? Security Ownership and Responsibility at AWS

blockchain gen ai tech

2. What threats does the organization face?

As a board member, are you aware of today’s cybersecurity threats and how the business is prepared to defend against them? If not, it may be time to build a closer relationship with the CISO. If they aren’t already, ask the CISO to debrief the board regularly on the organization’s cybersecurity priorities. The CISO should come prepared to discuss these priorities in business terms that emphasize the organization’s risk, resilience, and reputation rather than technical details.

c-suite board room round table

3. Who has access to the company’s data?

Data is the organization’s most precious resource. If it’s not adequately protected at all times and in all places, then it could put customers and employees at risk. That’s why it’s essential for the company to monitor and manage access permissions, ensuring employees can only access data that’s essential for their role. Managing access reduces the number of people who could potentially expose sensitive data, while monitoring access will allow the security org to detect data exposures sooner and with greater precision.

► Read the Report: Data Security as Business Accelerator

lock on blue background representing security access

4. What are the organization’s most valuable assets?

Least privilege access management is fully dependent on how the organization classifies its data. The business should be evaluating its assets on a regular basis to ensure that the most sensitive data is classified correctly and restricted to only those with the highest security permissions.

man observing computer screen intently representing security access

5. What layers of protection does the company have in place?

For it to be effective, security must be a multifaceted program with many layers of protection. Consider how the organization secures its infrastructure, data, applications, emails, physical buildings and data centers, and even AI development and training models. These are all layers of security that can boost the company’s resilience if they are well protected or jeopardize it if they are not.

numerous orange locks on teal lit up background representing layers of protected security

6. Is the organization prepared to respond to a cybersecurity event?

Regular incident response testing is essential to ensure everyone knows how to react if a real event should occur. Will your organization be prepared for the real thing? Are incident response plans already in place or do they still need to be built? Have employees practiced the incident response plan enough? What is the Board’s role in those plans?

► Watch now: Vulnerability Management in a Zero Day Security Scenario

man at keyboard checking his computer screen representing incident response

Security starts at the top

Boards who interact regularly with their CISO better understand risk and where to invest in security, enabling the business to move confidently and realize value more quickly. But not all CISOs know how to effectively communicate with the Board. Download a pdf of this resource to help navigate your next conversation with the CISO.Download the guide