As reported in the WSJ, the National Association of Corporate Directors advises that boards ask their companies’ chief information security officers some pointed questions about cybersecurity risks. Often, boards just ask whether the company is vulnerable to cyberattacks like those recently experienced at the U.S. Office of Personnel Management and at a number of private companies.  But that’s not likely to be effective, the NACD argues.  Why not?   Because no security system is perfect and all companies are vulnerable to some extent.  Instead, the NACD recommends, boards should focus on decreasing the risk of attack as well as understanding the process that is in place to manage a cyberattack should one occur. Copied below are examples the NACD views as more effective questions for boards to ask their heads of cybersecurity:

  • “What was our most significant cybersecurity incident in the past quarter? What was our response?

  • What was our most significant near miss? How was it discovered?

  • How is the performance of the security team evaluated?

  • Do you have relationships with law enforcement, such as the FBI and Interpol?

  • Do you work with business leaders on due diligence of acquisition targets? With supply chain leaders on security protocols of vendors and other partners?

  • What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?

Source: National Association of Corporate Directors”

Still, there is no one-size-fits-all set of questions, and the worst threats may well be those that haven’t even been contemplated by the company or the CISO.

Directors are advised to engage CISOs regularly and, where necessary, encourage the CISO to educate board members about the range of potential security problems: only “11% of board members across industries say they have a ‘high level’ of knowledge about the topic, according to a recent NACD survey of 1,034 directors.” Finally, NACD advocates that CISOs work with board members to develop “a process to ensure they can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies….”