6 Questions Every Board Should Ask Their CISO

Having a culture of ownership that prioritizes security can play a major role in reducing the organization’s cyber risk. Consider whether it’s clear to the entire organization that security is a business imperative. Is there a sense of ownership for security in every employee, regardless of role? Does leadership reinforce a culture of security by making security-driven decisions?

As a board member, are you aware of today’s cybersecurity threats and how the business is prepared to defend against them? If not, it may be time to build a closer relationship with the CISO. If they aren’t already, ask the CISO to debrief the board regularly on the organization’s cybersecurity priorities. The CISO should come prepared to discuss these priorities in business terms that emphasize the organization’s risk, resilience, and reputation rather than technical details.

Data is the organization’s most precious resource. If it’s not adequately protected at all times and in all places, then it could put customers and employees at risk. That’s why it’s essential for the company to monitor and manage access permissions, ensuring employees can only access data that’s essential for their role. Managing access reduces the number of people who could potentially expose sensitive data, while monitoring access will allow the security org to detect data exposures sooner and with greater precision.

Least privilege access management is fully dependent on how the organization classifies its data. The business should be evaluating its assets on a regular basis to ensure that the most sensitive data is classified correctly and restricted to only those with the highest security permissions.

For it to be effective, security must be a multifaceted program with many layers of protection. Consider how the organization secures its infrastructure, data, applications, emails, physical buildings and data centers, and even AI development and training models. These are all layers of security that can boost the company’s resilience if they are well protected or jeopardize it if they are not.

Regular incident response testing is essential to ensure everyone knows how to react if a real event should occur. Will your organization be prepared for the real thing? Are incident response plans already in place or do they still need to be built? Have employees practiced the incident response plan enough? What is the Board’s role in those plans?