7 Questions, 7 Mistakes, and a CISO Checklist – BSW #253

Boards have a unique role in helping their organizations manage cybersecurity threats. They do not have day to day management responsibility, but they do have oversight and fiduciary responsibility. Don’t leave any questions about critical vulnerabilities for tomorrow. Asking the smart questions at your next board meeting might just prevent a breach from becoming a total disaster. In this article we offer 7 questions to ask to make sure your board understands how cybersecurity is being managed by your organization. Simply asking these questions will also raise awareness of the importance of cybersecurity, and the need to prioritize action.

Talking to the board about cybersecurity in a way that is productive can be a significant challenge, and failing to do so effectively can result in confusion, disillusionment, and a lack of cohesion among directors, the security function, and the rest of the organization. Here are some common mistakes that CISOs make when speaking to the board: 1. Using over-technical security language 2. Focusing on the wrong threat impacts 3. Relying on out-of-box cyber risk reporting 4. Failing to prepare for potential questions 5. Oversharing and security scaremongering 6. Presenting cybersecurity as a cost center 7. Not investing in relationships outside the boardroom

This is no longer just about tech — if it ever was. This is about protecting the business against cyber-attacks which have now become a matter of “when, not if”. This is no longer something you can push down in the organisation. If the board does not see the need — or does not feel qualified — to step in, nothing will never change for good around cyber security because it has simply become too complex and too transversal in large organisations. Bottom-up approaches will continue to pour cash down the drain and CISOs will continue to leave every other year out of frustration. And breaches will continue to happen.

Your recovery plan will detail the steps your organization needs to take to stop losses, end the threat, and move on without jeopardizing the future of the business. These are some of the biggest goals you’ll need to achieve with any plan you develop. 1. Business continuity. 2. Data protection. 3. Loss minimization. 4. Communication. 5. Restoration. 6. Improvements.

This article assumes that you have already taken the routine measures. If you haven't, fix the basics first. We'll focus only on the extra steps necessary to offboarding security staff, based on the advice of many CISOs and other security professionals. 1. Time the Parting Well 2. Prepare for the Great Boomerang 3. Enlist Help from Your Security Team 4. Do the Insider Threat Checks 5. Do a Last-Day Audit 6. Check the Silos 7. Notify Other Affected Parties 8. Kill the BYOD Network Permissions and Wipe Devices 9. Disable/Deny Physical Access Permissions 10. Transfer Data Ownership 11. Check All Codes 12. Shut the Backdoor 13. Secure Security Systems 14. Find and Save Configurations 15. Check Incident and Log Data 16. Look Again

Let’s look at some examples that illustrate the value of soft skills: 1. Career growth and promotion 2. Adapting to the modern workplace 3. Improves customer service