Oversight of cybersecurity programs, whether at the board or executive leadership levels, has always been a challenge. Typical questions that officers and directors ask range from the broad, “Are we secure?” to more detailed questions about metrics, such as, “How many vulnerabilities did you fix last quarter?” The answers to these questions may not help to indicate true program effectiveness. These types of queries often signal a lack of understanding about ways to hold cybersecurity teams accountable, and a lack of vision about how cybersecurity can actually help grow the business.
Attempts have been made to help cyber outsiders ask the right questions of security team leaders to improve the effectiveness of executive oversight. The National Association of Corporate Directors has put out some great guidance on what questions to ask, and what approaches to take when expanding IT security’s role to more of an enterprise risk mandate. The more that boards and leadership teams understand the wide-ranging responsibilities of cybersecurity teams, the better they can hold them to account.
Pivot the cybersecurity oversight mindset
Chief Information Security Officers (CISO)…