SEC cyber attack regulations prompt 10 questions for CISOs

In light of recent Securities and Exchange Commission regulations governing the disclosure of cyber attacks for public companies, the need for comprehensive cybersecurity understanding at the leadership level has never been more apparent. The new rules mandate a level of transparency and understanding that can be achieved only when those at the helm have a strong grasp of the cybersecurity landscape.

Unmasking the cybersecurity landscape can be a daunting task for board members, yet it is a vital part of their role in terms of governance and risk management. To help navigate the regulations, here are 10 critical questions board members should ask their CISOs about cyber risk and management:

1. What does the company's risk landscape look like, and what is the company's current cybersecurity risk profile? This essential question offers a broad overview of a company's cybersecurity status. It encompasses identified vulnerabilities, ongoing threats and the steps being taken to mitigate potential risks.
2. How does the company keep the fort secure, and how does it manage cybersecurity risks? Gaining insights into the strategies, tactics and resources employed to manage cybersecurity risks is paramount. This question guides board members in evaluating whether these measures align with the organization's risk profile.
3. Is the company ready for a storm? Does it have an incident response plan? Preparation is half the battle. A clear, actionable incident response plan that includes detection, containment, recovery and follow-up processes is indispensable for any well-prepared organization.
4. Is the company winning? What cybersecurity metrics does it track? Quantitative insights into an organization's cybersecurity performance can be highly illuminating. Understanding which metrics are being monitored and how they influence decision-making is a key aspect of effective governance.
5. What are the company's crown jewels, and how does it guard them? Board members need to be fully aware of the organization's most valuable assets -- data, systems, etc. -- and how they are being safeguarded.
6. How does the company stay ahead of threats? The cybersecurity terrain continues to evolve, and staying abreast of the latest threats and trends is a necessity rather than a choice.
7. Are the company's allies trustworthy? What's the company's plan for third-party risk management? Many cyber incidents are precipitated by vulnerabilities in third-party vendors or software. A strong cybersecurity strategy must encompass provisions to manage third-party risks.
8. Does the company foster a security-conscious culture? What are its cybersecurity training and awareness programs? The human factor cannot be ignored when it comes to cybersecurity. Understanding the initiatives in place to educate employees about their roles in preventing cyber incidents can make a world of difference.
9. Does the company invest wisely? How is its cybersecurity budget allocated? Knowing how resources are being disbursed can help boards discern whether the most significant risks and challenges are receiving adequate attention and funding.
10. Can the company control the narrative during a crisis? How will it handle communications in the event of a significant breach? Effective communication during a cybersecurity incident is critical for maintaining trust with stakeholders and preserving an organization's reputation.

With the cybersecurity landscape evolving at an unprecedented pace, it is crucial for board members to arm themselves with an arsenal of knowledge. Having the right set of questions to ask the organization's CISO is just the starting point.

About the author
Frank Kim is a SANS Fellow and leads the Cloud Security and Cybersecurity Leadership curricula to help shape and develop the next generation of security leaders. Previously, he served as the organization's CISO, where he led the information risk function. He is the CISO-in-residence at YL Ventures. Kim serves as an advisor to numerous security startups and teaches courses on CISO leadership, strategic planning, DevSecOps and cloud security.