Do you understand your existing cyber security policies and procedures? If not, there is a need for these policies and procedures to be rewritten in concise and clear language. These documents are only effective if they are immediately understandable and workable.
Are you getting the answers that you need about your cyber security posture? Indeed, are you asking the right questions? If the IT and/or cyber security leadership cannot properly and fully articulate the strategy for delivering information security, such that this can be fully understood at a board level, then questions need to be asked as to whether the right person is representing the organization in these matters. Boards have a duty to their shareholders and other stakeholders to ask detailed and probing questions relating to the organization’s ability to protect its critical data assets.
In drawing up the policies and procedures, have you involved all the business heads? Cyber security should not be considered as a silo. This is an organization-wide issue that needs input from leadership across the board, particularly when considering the gaps in business processes that may lead to cyber fraud and business disruption.
Have you instructed that incident response plans be tested? No matter how clear and well-written the policies and procedures may be, if they are never tested under realistic circumstances, then there is no way to determine whether they will work or not. Cyber crisis table-top exercises (involving leadership) can be the most effective means of identifying (and subsequently remedying) potentially disastrous gaps that would manifest in a real incident. Any test should involve not just your IT/Security team and the points of contact for the executive team and the board, but all those whose expertise you will rely on in the event of an incident – legal, investor relations, HR, external technical experts, external counsel, and the crisis communications teams, to name but a few of the most important stakeholders.
How are you measuring the effectiveness of cyber security spending? Boards are often asked to approve large sums for cyber security solutions and hires. Yet, what metrics do they have to measure whether these funds have been well spent? Has consideration been given to engaging independent external specialists to test the cyber security defenses in the same way that a real hacker would, without the prior knowledge of the cyber security team? Testing under real-life scenarios is the only way to effectively know if your security is working. In addition to testing, have you considered having your cyber security plans, projects, organization, and budgets reviewed by an independent third party? Companies like Kroll can review your organization’s current state against the threats we see globally targeting others working in your market and geography, and discuss whether your plans are likely to address/detect the threats, and how your resource allocation compares with similar organizations.
Are you leading by example? Enhanced cyber security often leads to restrictions and tighter controls on device access and usage. When properly explained, it should be realized that these are for the benefit of organizational security as a whole. If boards and executives accept these measures and adopt enhanced security controls (rather than requesting exemptions for convenience), then this sends a message that security starts at the top and must be adhered to by everyone. Personalized messages in support of cyber security education programs can also go a long way to promoting organization-wide awareness and responsibility.
Have you considered enlisting expert advisors? At the very least, regular board briefings by appropriate and credible cyber security experts is a must. Many boards nowadays are going one step further to engage this expertise in the form of non-executive board members.