Cyber risk is rising, prompting the board and senior leadership to ask more questions about cybersecurity. How bad is it out there? What about what happened to our competitors? How are we compared to others in our industry?
Breaches and cybersecurity are a hot topic of discussion at most board meetings. Of course, there are a million questions to ask but we’ve compiled a list of the top five you should be prepared for.
Are We Protected and How Do We Know?
This question will likely be the kick-off to the board’s conversation. Board members come across threat reports, articles, blogs and news segments everywhere they go. We all do these days. But regulatory pressure and understanding risk can come from vendors and prospects as well. Are you losing deals to the competition because they have a SOC 2 or an ISO 27001? How do you stack up? Are you losing business?
Having an InfoSec program, ongoing employee security training and appointing a CISO is incredibly important to protect an organization. Unfortunately, a company can’t be 100% protected and a breach will likely happen at one point or another. However, what the board wants to know is that there’s a plan in place. Have you done your vendor risk assessments? Are you up-to-date on your certifications and attestations?
What Is Our Most Sensitive Data?
As mentioned, a data breach in this day and age is inevitable. It’s not an IF but a WHEN. So as you’re creating your InfoSec program and completing your risk assessment, make sure to look at all the kinds of data you work with and where it’s stored.
Hackers are clever and have too much time on their hands. They spend copious amounts of time analyzing industries and companies, evaluating what the most valuable information is and what’s the best bang for their buck.
For example, e-commerce platforms store credit card information. Access those and you’ve hit the jackpot. So, e-commerce platforms need to act accordingly and use techniques to protect that information. PCI DSS standards help keep that information more secure and help keep the hackers out. It doesn’t guarantee protection, though.
This oversimplified example is specific to e-commerce and not a one-size-fits-all exercise. Your industry and your organization’s risk profile and risk treatment plan should fit your business like a glove. A simple starting point is to list your data sets going from high priority to low priority. Then your CISO and board can create a strategy around protecting the crown jewels.
Have We Had a Breach and What’s Our Ability to Respond?
Data loss is detrimental to business and typically leads to downtime that no one wants. In extreme cases, it can even close a business. Therefore, the board will ask this question seeking reassurance.
Is our current InfoSec approach working? Do we need to reevaluate? Did we successfully respond or contain the breach? How did it affect our employees, vendors and customers?
Congratulations if you’re breach-free but it still never hurts to ponder these questions.
Are We Appropriately Allocating Resources?
This may be the most challenging question to answer and show evidence for because board members want to see ROI.
Are we spending enough? Why are we spending so much? How are we compared to others? Is there a tool that could help us?
ROI on cybersecurity is complex but not impossible. For example, in our Cost of SOC 2 blog, there’s a chart showing the cost of compliance with and without Tugboat Logic. SOC 2 requires resources, time, expertise and a lot of evidence. If you can work smarter, and not just harder, boards are happy. That’s an ROI they can get behind.
Completing an attestation like SOC 2 also boosts your bottom line. It shows your vendors, potential customers and investors that you’re trustworthy. And while you can potentially see that increase at the end of each quarter, boards also know you can’t put a dollar amount on trust and reputation. It’s priceless.
Do We Need Cybersecurity Insurance?
Depending on the type of risks you identified, there are four risk treatment options:
- Accept: To acknowledge the risk but decide that any actions to avoid or mitigate the risk will be too costly or time-consuming. The benefits don’t exceed the cost.
- Transfer: To take action(s) by transferring the risk to another entity (e.g., an insurance company or having AWS instead of your own data center with servers, physical security measures, etc.).
- Mitigate: To take action(s) to minimize the potential impact of any given risk by implementing mitigating controls.
- Avoid: To take action(s) that will eliminate the risk in its entirety.
It’s impossible to be 100 percent secure or protected and that’s where cybersecurity insurance provides peace of mind. The simple answer here is yes but ensuring that you have the correct level of insurance proves to be a challenge. Determining the right level of coverage depends on your risk level and threat landscape and awareness of the threats and risks facing an organization. Then, when you create or reevaluate your risk treatment plan, you can discuss appropriate levels with a broker and determine the best course of action.
Answering the Board
Getting ready for a board meeting is often a stressful task and InfoSec is critical to success. Boards know that 60% of SMBs go out of business in year one due to data breaches. But when it comes to cybersecurity, providing ROI and ensuring that you’re protected is a bit of a gray area. There’s a lot of numbers to compile and they’re often in multiple places. But, having a single source of truth through a platform or tool can save hundreds of hours and thousands of dollars. Something all boards love.
Tugboat Logic is here to help. We have over 100 years of combined experience working in security. So let our team of ex-auditors and security veterans help you launch your security program and assist you on your compliance journey.
Are you interested in turning your security and compliance program into a business advantage and assuring your board your organization is secure? Get a free trial or contact one of our representatives at firstname.lastname@example.org today.