Information security is a Board issue. Not everyone seems to appreciate this, and one of the more disheartening aspects of my day job is how hard it is to get senior execs to take the time to have security awareness training and engage with security policy.
Why is it a Board issue? Firstly because directors have a fiduciary duty to take care of the best interests of shareholders, which means balancing profit against risk, and short-term against long-term. Given the level of threat that data breaches and cyber compromise represent to an organisation’s survival, not just its revenues, failing to take the issue seriously is a breach of that duty.
Secondly because, unless the Board shows that it is interested, it’s very hard to get anyone else in an organisation to care, and it’s even harder to get any budget dedicated to cyber (never mind trying to get budget for broader approaches to information assurance). This is why CISSP doctrine is that the organisation’s information security policy must be signed by the CEO and approved by the Board.
All well-constructed Boards have non-executive directors. The purpose of the non-exec is to ask difficult questions of the execs, in order to ensure that the shareholders’ interests are foremost and that the company is following best practice. These days you can replace “shareholder” with “stakeholder”, but the effect is the same, and it’s shareholders whose interests are protected in law.
Sadly, very few non-execs come from an IT background. Not many of them seem to take their responsibility for governance seriously enough to begin with, and fewer still even know which questions to ask when it comes to information security.
My top tip would be to make sure someone on your board has explicit responsibility for information security governance, and that they either have the right background or are receiving the right training or support. But if you can’t do that, here’s a dozen questions you should ask your Board:
- Do we have an information security framework (an information security policy and all its associated policy and procedure documents)? Who owns it, how frequently is it updated, and who is consulted internally and externally on its contents? Is everyone in the organisation familiar with its contents (or at least with the parts relevant to their role)? How is this verified?
- Do we have regular security awareness training? How do we make sure that new joiners are trained before they are placed in a position to cause harm – maliciously or inadvertently? Does the training extent to everyone, including contractors, temps…and senior execs?
- Do we have any security certifications, such as Cyber-Essentials (or CE Plus), ISO 27001, PCI-DSS? If not, why not? If we do, when were they last audited?
- Is anyone external contracted to review our information security? If not, why not? If so, when did they last report, and did we get a clean bill of health?
- How much do we spend specifically on information security? How does that compare to sector/segment averages? If we’re underspending relative to our peers, why is that and what risks are we accepting as a result?
- Do we have a business continuity plan? When was it last reviewed, last tested, and last communicated to staff? How much downtime does it envisage for some common scenarios: fire, flood, transport interruption etc. What does that downtime mean to the company in terms of revenue impact?
- Do we have a risk assessment for data? Have we looked at what information we keep, why we keep it and what the impact would be if it was breached? Have we compared the benefits of retaining/using the information to the costs of protecting it and the risks of breaching it?
- Do we have a crisis communications plan? Do we know who will say what to whom in the event of a breach? Have we communicated this to staff? How is their understanding of the plan verified?
- How frequently were we breached in the last year, and how frequently did we detect and prevent an attempted breach? How does this compare to industry averages, especially in countries like the US that have disclosure laws? If we think we haven’t been breached, what have we done to prove that this is the case?
- Do we have routine reporting to the Board on cyber-risk, our prevention measures and the risks we are accepting? If not, why not? If so, how frequently is it reported and do we have a formal vote to accept or reject the report and any recommendations made in it?
- Have we reviewed all of the legislation and regulation relevant to our data and IT operations and ensured that we are compliant? Who is responsible for this activity and how is it audited? Do we have a plan to deal with known regulatory changes such as the GDPR?
- Are we insured against cyber risks? If not, why not? Does our insurance adequately cover both our own potential losses and any collateral losses to which we might be exposed through obligations to our customers or suppliers?
Of course, asking the questions is only the start – you also have to understand the answers and act on them. But we can all think of several recent examples where it appears the questions weren’t asked in the first place. Don’t be the next one.