Computerworld

INSIGHT: Top cybersecurity questions every board needs to address

“Today’s attacks on enterprises are persistent and advanced, no enterprise is 100 percent secure."

Cyber protection is no longer a technical issue; it is a business issue requiring board attention, and cybersecurity needs to be approached in a holistic manner, states a new report from global IT association ISACA.

The guidance, titled The Cyberresilient Enterprise: What the Board of Directors Needs to Ask, describes the need for governance over critical cyber events to help reduce the impact of cyber incidents and restore normal business.

Included in the in-depth guidance are 19 key questions board members should ask to create a resilient enterprise that connects protection and recovery to the goals of the organisation and implements programs for the sustainability of essential services.

“Today’s attacks on enterprises are persistent and advanced, no enterprise is 100 percent secure,” says Ron Hale, Ph.D., CISM, Chief Knowledge Officer, ISACA.

“It is no longer sufficient to only focus on prevention and detection.

“As the paper points out, board members need to evaluate the operational risk inherent in today’s digital business and direct management to ensure that the enterprise is more than just protected - it is resilient.”

According to the paper, to be cyber resilient the enterprise must understand and prioritise stakeholder needs, identify the core business processes needed to meet the mission and goals of the enterprise and understand the potential impact a cyber event will have on the business.

Key questions boards should ask include:

· Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services?

· Is the board routinely informed about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand?

· To what extent have essential services and functions been identified and programs implemented to provide for their resilience in the event of a disruption or cyber incident?

“Incident response is crisis management,” Hale adds.

“Enterprises need to consider cybersecurity from this standpoint and be part of an integrated and holistic, enterprise wide approach.”