Aug 18, 2016 The Wrong (and Right) Questions the Board Should Ask the CISO
There’s a great recent piece in BankInfo Security on “the top four questions the board should ask the CISO”. I like it because not only is it insightful, but it also serves as a fantastic advertisement for Nemertes’ services.
Lest anyone forget, we are in the business of assisting clients with their security intiatives, and regularly present findings to their boards.
So here are the blog’s top 4 questions:
1: Is There an Information Security Framework in Place? A thousand times yes! And more specifically, the “framework” must–MUST!–include both a security architecture and technology roadmap. Too many frameworks (including, sadly, NIST’s) are too high-level. It’s all well and good to have pretty documentation of your efforts—but at the end of the day, you need to know what tools and processes to implement, and what your people are doing to keep you secure.
2: What is the Scope and Methodology of Risk Assessment? We suggest you start with a Business Risk Portfolio Assessment–and we’re more than happy to help you get started.
3: How Do You Measure the InfoSec Program Maturity Processes? Yet another fantastic question. You might try working with the Nemertes Security and Risk Management Maturity Model. Have a look at our handy-dandy webinar explaining the key concepts.
4: What Are We Doing to Respond to a Particular Threat Making Headlines? This question looks like the “one of these items does not belong” questions in the multiple-choice section of the SATs. The top three are strategic, this one seems strikingly tactical. Does it really belong in the board’s lexicon?
The answer is “yes”. Here’s the thing: A CISO can have the best strategy, framework, architecture and roadmap; the top technology, processes, and people; score at a “level 10” on the maturity model–and the company can still be slammed by the latest off-the wall threat, whether it’s foreign-entity attacks or the current attack du jour, ransomware.
To do your job properly, the CISO needs to stay on top of both the strategic and tactical issues. (So in case you haven’t gotten your arms around ransomware, here’s a blueprint for protection).
The bottom line? Every board should be asking these questions–and every CISO should be prepared to answer them.