Questions For Every CIO and Board About Security
Questions For Every CIO and Board About Security
—
The CIO is in a unique position to communicate to the Board the information that helps them assess and evaluate security approach and activity, and incident response and recovery. The Board needs this information through direct and indirect vehicles: reports, sessions devoted to security, ongoing education, timely assessments and third-party input. In turn, the Board needs to help determine the internal checks and balances in place to ensure that they are receiving unbiased information. They need to know how management is thinking about security.
Together, the CIO and Board address several critical questions:
:: What should the focus of the Board be in regards to cyber-security?
:: How will the Board and Leadership interact?
:: Who is accountable for assessment and management of risks?
:: How are policies and procedures reflecting commitment to cyber-security?
:: What are the IT metrics that will comprise a new dashboard?
:: What is the incident response and recovery plan?
:: How will the Board receive ongoing education in cyber-security?
Cyber-risk is business-risk. Impact to the business is the focus more than impact to technology. The defense is in the details. The details are in the questions.