5 security questions your board will inevitably ask

Board members realize how critical security and risk management is and have started to ask leaders more complex and nuanced questions. These findings help security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Security leaders need to be able to give the board something that they care about and that is meaningful to them. Beyond individual passions and concerns, boards collectively generally care about three things:

  • Revenue/mission: Operating or nonoperating income and enhancing nonrevenue mission objectives
  • Cost: Future cost avoidance and an ediate decrease in operating expenses
  • Risk: Financial, market, regulatory compliance and security, innovation, brand, and reputation

Most board questions can be categorized into five areas.

What it sounds like: Are we 100% secure? Are you sure? 

Why it’s asked: Questions like this are often asked by board members who don’t truly understand security and the impact to the business. It’s impossible to be 100% secure or protected. The CISO’s role is to identify the highest-risk areas and allocate finite resources toward managing them based on business appetite.

How to respond: Begin with something like: “Considering the ever-evolving nature of the threat landscape, it’s impossible to eliminate all sources of information risk. My role is to implement controls to manage the risk. As our business grows, we have to continually reassess how much risk is appropriate. Our goal is to build a sustainable program that balances the need to protect against the need to run our business.” 

What it sounds like: How bad is it out there? What about what happened at X company? How are we compared to others? 

Why it’s asked: Board members will come across threat reports, articles, blogs and regulatory pressure to understand risks. They will always ask about what others are doing, especially peer organizations. They want to know what the “weather” looks like and how they compare to others.

How to respond:  Avoid guessing at the root cause of a security issue at a different company by saying, “I don’t want to speculate on the incident at Company XYZ until more information is available, but I’ll be happy to follow up with you when I know more.” Consider discussing a series of broader security responses such as identifying a similar weakness and how it’s being fixed or updating business continuity plans.

What is sounds like: Do we know what our risks are? What keeps you up at night? 

Why it’s asked: The board knows accepting risk is a choice (if they don’t, that’s a challenge you need to solve). They want to know that the company’s risks are being handled. CISOs should be prepared to explain the organization’s risk tolerance to defend risk management decisions. 

How to respond: Explain the business impact of risk management decisions and ensure that your positions are supported by evidence. The second part is vital because boards are making decisions based on the risk tolerance. Any risks outside the tolerance level requires a remedy to bring them within tolerance. This doesn’t necessarily require dramatic changes in short periods of time; beware of overreacting. The board will be seeking assurances that material risks are being adequately managed, and that subtle, long-term approaches may be appropriate in some instances.

What it sounds like: Are we appropriately allocating resources? Are we spending enough? Why are we spending so much? 

Why it’s asked: The board will want reassurance that security and risk management leaders are not standing still. Board members will want to know about metrics and ROI.

How to respond: Use a balanced scorecard approach in which the top layer expresses business aspirations and the performance of the organization against those aspirations is illustrated using a simple traffic-light mechanism. As much as possible, explain aspirations in terms of business performance, not technology. Performance is underpinned by a series of security measurements that are evaluated using a set of objective criteria.

What it sounds like: How did this happen? I thought you had this under control? What went wrong? 

Why it’s asked: This is asked when an incident or event has occurred and the board either already knows or the CISO is informing them of it. 

How to respond: An incident is inevitable, so be factual. Share what you know and what you are doing to find out anything you don’t currently know. In short, acknowledge the incident, provide details on business impact, outline weaknesses or gaps that need to be worked out and provide a mitigation plan. Be cautious not to endorse one option as the ultimate choice when in front of the board. The responsibility for oversight of security and risk remains with the security leader, but the accountability has to always be defined at the board/executive level.