Google’s CISO Says Boards, CEOs Need to Ask These Questions
Cybersecurity and privacy are a key pillar of every company’s risk governance program – or at least should be.
Alicja Cade, Director, Financial Services, Office of the CISO, Google Cloud suggests some questions Boards and CEOs should be asking about the company’s cybersecurity program.
Here are some questions that she is recommending the Board gets answer to:
- How good are we at cybersecurity? Boards need to learn more about the people and expertise their cybersecurity teams have. Boards, she says, can rely solely on compliance dashboards and security controls. Boards need to understand more about the team’s practical capacity to respond to events.
- How resilient are we? Boards need to ask about how prepared the organization is to keep the business running in the case of a ransomware event. Are we testing this capability? Can we operate with key services degraded or not operating?
- What is our risk? Cybersecurity risk assessments need to address, at least, five key areas – 1) an assessment of current threat exposure to your organization; 2) an explanation of what the cybersecurity leadership is doing to mitigate against those threats; 3) examples of how the organization is testing whether the controls are effective; 4) an assessment of the consequences if those threats materialize as incidents: are we ready to respond and recover; and 5) an assessment of risks that you aren’t going to mitigate, but will otherwise accept.
- What top-of-mind cybersecurity challenges are organizations facing today and how can the Board be more proactive? One of these is AI – how can we harness it and how do we make sure it doesn’t harm the company.
- How should Boards balance cybersecurity with other business priorities such as innovation and growth? The answer includes a deeper collaboration between the C-Suite members – CISO, CIO, CTO, CCO and other business leaders.
- What common misconceptions may Boards have about cybersecurity? It cannot be the sole responsibility of the CISO – it needs to be a team sport. All line of business managers need to address cybersecurity as part of their business strategy.
- How can Boards ensure they are adequately prepared for potential regulatory obligations related to cybersecurity? Regulations around cybersecurity and privacy are only increasing. Boards need to get educated, be engaged and stay informed.
If this makes you head spin, we offer a range of cybersecurity advisory services to Boards. Please contact us for details.