While it is not the board’s responsibility to write the plan, the BOD’s role is to ensure the organization has a plan and is as prepared as possible. For example, the NIST Cybersecurity Framework has many levels of detail that cyber professionals can use to install controls, processes, and procedures that can prepare an organization for a cyberattack and mitigate its negative after-effects.
This means someone on the board or acting as a consultant to the board can explain the company’s cyber posture in business terms.
Five things directors need to know about cybersecurity.
-> Cybersecurity is about more than protecting data.
-> The BODs must be knowledgeable participants in cybersecurity oversight.
-> Boards must focus on risk, reputation, and business continuity.
-> The prevailing approach to cybersecurity is defense-in-depth.
-> Cybersecurity is an organizational problem, not just a technical problem.
Seven questions the board needs to hear.
-> What are our most important assets, and how are we protecting them?
-> What are the layers of protection we have put in place?
-> How do we know if we’ve been breached? How do we detect a breach?
-> What are our response plans in the event of an incident?
-> What is the board’s role in the event of an incident?
-> What are our business recovery plans in the event of a cyber incident?
-> Is our cybersecurity investment enough?