Cyber: Q&A with the Board

As an information security professional, whether you’re working within Risk Management, Information Security, or Cybersecurity; you need to be prepared for a multitude of situations.  This includes being asked very direct and candid questions around your current security posture.  This series is based on our experiences and interactions with a variety of Boards of Directors, Advisory Boards, and other Governing Bodies with our clients across multiple industries. 

No one, whether you’re on an Executive Leadership Team or the manager responsible for overseeing security operations, wants to be caught off guard.  Nor do you want to be ill-prepared when asked about your overall security posture. At The Rubicon Advisory Group, we felt it beneficial to put together a series of common questions that are being asked from the perspective of those Boards and provide you, whether you’re in Senior Management or as a lone practitioner, with the details behind the questions being asked today.

It is not our intent to provide you with an exhaustive list and does not cover everything an organization must do to protect and secure itself.  For that, you will need to tailor how you govern cybersecurity to the specific needs of your organization.    

However, we felt it would be beneficial to understand the common drivers behind some of the questions being asked and give you a foundation and some insight into what is being expected of cybersecurity’s role and function within organizations today. 

It is our hope that through this understanding you can best position your information & cyber security efforts in such a way that you demonstrate that not only do you understand what the organization needs in order to succeed, but also that you’re able to instill the confidence they are seeking while demonstrating that you “get it”.

This series is going to cover three specific areas, with each relevant question answered in the context of that area’s specific focus.  We’re going to dive into and discuss the following three key areas:

Policy and Governance

How we govern and the policies we establish set the tone for what behaviors are expected.  Governance is about being able to demonstrate value to the relevant stakeholders.  Value only occurs when benefits are fully realized.  In order to accomplish this, we need to properly prioritize our limited resources in such a way they address the greatest risks to the organization.  In short, we must ensure that we are properly managing risk within our organization.

Governance, and by extension policies, defines the set of control requirements which effectively manage risk within an organization to acceptable levels.  It is not uncommon for the Board (or other governing body) to start asking basic questions.  If these questions are not sufficiently answered, they’ll start diving deeper. 

We are seeing these questions become commonplace in Board meetings when it comes to Policy and Governance. You should be prepared to answer:

  1. How are you protecting and handling sensitive or regulated data? Are you protecting data on devices that can be lost or stolen?
  2. Who has access to our systems? How do we identify them? After third-parties have access, how quickly can we sever access to our systems and data?
  3. How will the organization respond when sensitive or regulated data is lost/stolen/ransomed? Is there a clear plan for response, including incident or crisis communication?

Security Instrumentation and Processes              

The following questions are very common industry best practices for organization who wish to harden their security posture – particularly against cyberattacks, while tending to be more technical in nature, these questions are now routinely being asked by various Boards.  Your answers will demonstrate how effective your organization will manage and mitigate efforts against the increased use of these attack methods. If an organization doesn’t get these practices right, most of their other protective measures can quickly become overwhelmed or useless.

You should be able to answer and address the following questions for the Board:

  1. How do you manage network traffic to and from your network?
  2. How do you manage remote access?
  3. How do you define and manage your perimeter?

Advanced Defensive Practices and Capabilities

The following questions are common industry best practices that are often symbolic of more mature organizations and tend to be highly effective in cybersecurity defensive and incident response efforts for organizations.   We are seeing Governing Bodies ask more detailed and specific hard-hitting questions.  You need to consider how your organization stacks up in answering these questions.  You should be prepared to answer:

  1. Are you doing Full-Packet Captures or collecting and analyzing NetFlow data?
  2. What are you doing with regard to Identity and Access Management?  What is the central authority that governs your active directory domains?
  3. What are you doing in regard to threat intelligence? How do you get your actionable cyber threat intelligence?
  4. Do you employ a data loss prevention system as part of your compliance/security program?

Leave a Reply

Your email address will not be published. Required fields are marked *