April 6, 2015
12 Questions for Managing Cyber Risk
by Norman Marks
Directors can use the questions when asking management about the organization’s understanding and management of cyber risk.
Recently, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40 to 50 board members very actively involved, because this is a hot topic for boards.
I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.
The set of questions can also be used by executive management, risk professionals or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.
This is my list:
How do you identify and assess cyber-related risks?
Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of intellectual property, compliance risk and so on) and not just IT risk?
How do you evaluate the risk to know whether it is too high?
How do you decide what actions to take and how much resource to allocate?
How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?
Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
Can you respond appropriately at speed?
What procedures are in place to notify you, and then the board, in the event of a breach?
Who has responsibility for cybersecurity, and do they have the access they need to senior management?
Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?
I am interested in your comments on the list, how it can be improved and how useful it is – and to whom.