Throughout my career in information security, I’ve partnered with several organizations both as a board member and board consultant.

These experiences have given me ample insight into how companies approach cybersecurity, including their weaknesses, and strengths in their approach.

In my journey towards helping organizations bridge their cybersecurity and risk management gaps, I wanted to share some of the most frequently asked security questions I get asked at board meetings and my answer to each of these.

1. Are we secure?  This question is like asking “will I die today?” cybersecurity is about risk management so you have to approach it as such. A more apt question would be “I know I could die today, but what have we done to minimize that risk?” In the case of cybersecurity that question could be “what have we done to minimize risks?” 
2. What do you need from the board?  This question is typically asked because of one of the following reasons:
   
   A. The board is not aware of exactly what they need to help with but they are aware that cybersecurity is an inherent risk, ransomware being one of the things that’s currently on most minds in boardrooms because it’s so prevalent in the news and it can shut down an organization.
   
   B. The board may actually know what is needed but would prefer to hear a confirmation from , in particular in terms of financials needed. This is where CISOs need to make business sense. If we have assets worth $1 million, and I’m asking for $5 million in funding, that doesn’t make sense. However if I add business context like “GDPR can impose fines of 💶 20 million or 4% of worldwide turnover.” That $5 million makes a whole lot more sense.
   
   
3. What are the key threats against our top assets?The answer to this question varies depending on the organization. However, the top three threats companies face right now are Ransomware, Phishing, and Man-in-the-Middle attacks. 
4. Have you defined acceptable risk levels?The answer should be yes. In other words, before meeting the board, we should have already gone through an exploration process to determine the level of residual risks to be reasonable level of potential disruption and/or loss for specific systems.  
5. How do we prove our controls are effective against the risks? In order to do so, all controls need to be tested.  Assessments are performed by various teams and if any control is determined to be deficient it is mitigated accordingly.
6. How bad is it out there?  I saw X happen at company Y, how are we protected from the same issue?Although cyber attacks may seem to be proliferating, cybersecurity now is better than ever before.  Companies are more aware about their risks, controls and technology to protect themselves.  A recent well known example was the hacking of Uber. They failed to protect themselves against a top three threat, Man-in-the-Middle, which led to their environment being compromised. This threat could have been easily avoided with the enforcement of hardware keys which cannot be phished.  
7. Are we appropriately allocating resources?  How do we know if we are spending too much or too little? The proper allocation of funds is one of my top priorities and so I would typically answer this question with a yes. However, my answer would be something along the lines of “yes we are allocating resources where they are best serving us but that doesn’t mean we have all the resources we need.”  The way we know if we are spending enough is by performing capacity planning against our risks plans.  If we know that Project X, takes Y hours and we only have Z amount of people that can only work less than Y hours, then we need more resources.
8. In case of a breach, do we have a plan to respond?  Most, not all, scenarios should be outlined in your existing incident response plan.

Please note that it would be impractical to think we can prepare for every scenario. However, you can plan for the most likely and/or most common ones.  The plan outlines what is supposed to be done and the team in charge of it.