While it is not the board’s responsibility to write the plan, it is the BOD’s role to make sure the organization has a plan and is as prepared as it can be. For example, the NIST Cybersecurity Framework has many levels of detail that cyber professionals can use to install controls, processes, and procedures which can prepare an organization for a cyberattack and mitigate the negative after-effects when an attack occurs.
This means someone on the board or acting as a consultant to the board can explain in business terms the cyber posture of the company.
Five things directors need to know about cybersecurity.
- Cybersecurity is about more than protecting data.
- The BODs must be knowledgeable participants in cybersecurity oversight.
- Boards must focus on risk, reputation, and business continuity.
- The prevailing approach to cybersecurity is defense-in-depth.
- Cybersecurity is an organizational problem, not just a technical problem.
Seven questions board need to hear.
- What are our most important assets and how are we protecting them?
- What are the layers of protection we have put in place?
- How do we know if we’ve been breached? How do we detect a breach?
- What are our response plans in the event of an incident?
- What is the board’s role in the event of an incident?
- What are our business recovery plans in the event of a cyber incident?
- Is our cybersecurity investment enough?