To provide board members with strategic cybersecurity data that is oriented toward business, it is essential to present them with the technical data. Any company's board should set a baseline for what information they want to know about cybersecurity. These are their five most critical questions:

  1. Can we count on our security? From a literal 100% protection standpoint, the answer is and always will be "no." However, if we rephrase the question as “what level of exposure are we exposing ourselves to?” we can begin to make progress.
  2. Are we compliant? Although audit results provide a quick answer to this question, they may not provide any real comfort as the perspectives may change at any moment due to their "point-in-time" nature. Instead, we should use a control framework to assess our cybersecurity program.
  3. Did any significant incidents occur? This question is generally answered with specifics, along with estimates regarding costs and potential liability, by Board members who are familiar with the significant incidents.
  1. Are we protecting ourselves effectively? Quality comes first.
  2. Do we have a security program that meets our needs? Next comes quantity.

Latest Resources

See all resources