Why it’s asked: The board knows
accepting risk is a choice (if they
don’t, that’s a challenge you need to
solve). They want to know that the
company’s risks are being handled.
CISOs should be prepared to explain the
organisation’s risk tolerance to defend
risk management decisions.
How to respond: Explain the business
impact of risk management decisions
and ensure that your positions are
supported by evidence.
The second part is vital because boards
are making decisions based on the
risk tolerance. Any risks outside the
tolerance level requires a remedy to
bring them within tolerance. This doesn’t
necessarily require dramatic changes
in short periods of time; beware of
overreacting. The board will be seeking
assurances that material risks are
being adequately managed and that
subtle, long-term approaches may be
appropriate in some instances.
Boards today are
more informed
about security risk.
How to respond: Avoid guessing at
the root cause of a security issue at a
different company by saying: “I don’t
want to speculate on the incident at
company XYZ until more information is
available, but I’ll be happy to follow up
with you when I know more.” Consider
discussing a series of broader security
responses such as identifying a similar
weakness and how it’s being fixed or
updating Business Continuity plans.
4. THE PERFORMANCE QUESTION
4. THE PERFORMANCE QUESTION
What it sounds like: Are we
appropriately allocating resources?
Are we spending enough? Why are we
spending so much?
Why it’s asked: The board will want
reassurance that security and risk
management leaders are not standing
still. Board members will want to know
about metrics and ROI.
How to respond: Use a balanced
scorecard approach in which the top
layer expresses business aspirations
and the performance of the organisation
against those aspirations is illustrated
using a simple traffic-light mechanism.
As much as possible, explain aspirations
in terms of business performance, not
technology. Performance is underpinned
by a series of security measurements
that are evaluated using a set of
objective criteria.
5. THE INCIDENT QUESTION
5. THE INCIDENT QUESTION
What it sounds like: How did this
happen? I thought you had this under
control? What went wrong?
Why it’s asked: This is asked when an
incident or event has occurred and the
board either already knows or the CISO
is informing them of it.
How to respond: An incident is
inevitable, so be factual. Share what you
know and what you are doing to find
out anything you don’t currently know.
In short, acknowledge the incident,
provide details on business impact,
outline weaknesses or gaps that need to
be worked out and provide a mitigation
plan. Be cautious not to endorse one
option as the ultimate choice when in
front of the board. The responsibility
for oversight of security and risk
remains with the security leader, but the
accountability has to always be defined
at the board/executive level. u
3. THE RISK QUESTION
3. THE RISK QUESTION
What it sounds like: Do we know what
our risks are? What keeps you up at night?
www.intelligentciso.com
|
Issue 18
65