6 Questions Every Board Should Ask Their CISO
To help their organization stay secure and competitive, the Board of Directors (BoD) must develop better cybersecurity awareness and preparedness. If you are a Board member, consider leaning on your Chief Information Security Officer (CISO) to help you establish a security-first mindset and stay informed on emerging threats and cybersecurity trends. Start the discussion by asking these six key questions of your CISO.
Who owns security?
Having a culture of ownership that prioritizes security can play a major role in reducing the organization’s cyber risk. Consider whether it’s clear to the entire organization that security is a business imperative. Is there a sense of ownership for security in every employee, regardless of role? Does leadership reinforce a culture of security by making security-driven decisions?
What threats does the organization face?
As a board member, are you aware of today’s cybersecurity threats and how the business is prepared to defend against them? If not, it may be time to build a closer relationship with the CISO. If they aren’t already, ask the CISO to debrief the board regularly on the organization’s cybersecurity priorities. The CISO should come prepared to discuss these priorities in business terms that emphasize the organization’s risk, resilience, and reputation rather than technical details.
Who has access to the company’s data?
Data is the organization’s most precious resource. If it’s not adequately protected at all times and in all places, then it could put customers and employees at risk. That’s why it’s essential for the company to monitor and manage access permissions, ensuring employees can only access data that’s essential for their role. Managing access reduces the number of people who could potentially expose sensitive data, while monitoring access will allow the security org to detect data exposures sooner and with greater precision.
What are the organization’s most valuable assets?
Least privilege access management is fully dependent on how the organization classifies its data. The business should be evaluating its assets on a regular basis to ensure that the most sensitive data is classified correctly and restricted to only those with the highest security permissions.
What layers of protection does the company have in place?
For it to be effective, security must be a multifaceted program with many layers of protection. Consider how the organization secures its infrastructure, data, applications, emails, physical buildings and data centers, and even AI development and training models. These are all layers of security that can boost the company’s resilience if they are well protected or jeopardize it if they are not.
Is the organization prepared to respond to a cybersecurity event?
Regular incident response testing is essential to ensure everyone knows how to react if a real event should occur. Will your organization be prepared for the real thing? Are incident response plans already in place or do they still need to be built? Have employees practiced the incident response plan enough? What is the Board’s role in those plans?
Security starts at the top
Boards who interact regularly with their CISO better understand risk and where to invest in security, enabling the business to move confidently and realize value more quickly. But not all CISOs know how to effectively communicate with the Board. Download a pdf of this resource to help navigate your next conversation with the CISO.
Take the next step
Explore new research on the security of generative AI
A survey of 200 executives found that only 24% of generative AI projects are being secured. Find out why in this research report from IBM and AWS.
Learn more about the evolving role of the CISO
Hear from Chris Betz, AWS CISO, about how CISOs are stepping into business leadership roles now that cybersecurity has become a top strategic priority for most organizations.
Uncover new data security insights
Browse more thought leadership and resources for data and security leaders on Executive Insights.
Request a meeting
Need help developing or expanding your Zero Trust strategy? Schedule time with an AWS security expert in one of our Executive Briefing Centers.