Cyber Risk Mitigation: Boards Top Questions for CISOs
This is part two of a four-part series that offers guidance on proactive communication strategies for CISOs, including ways to translate key information and express your actions in executive language, so you can remain focused on the important work of responding to incidents, events and threats equally, in order to mitigate organizational impacts.
When there is a cybersecurity incident, your board of directors wants to know if there is a plan. They want assurances that your organization is prepared to deal with the incident swiftly, efficiently, and thoroughly to minimize its impact on the business. That’s why, after communicating about your cyber risk exposure, the next burning question you will likely need to answer will be around your cyber risk mitigation plan. You will need to be prepared to respond to the question, " Has the situation been contained and have we dealt with it adequately?”
Subtext questions to consider:
- What was our response plan?
- How did we prioritize efforts and resource allocation?
- What is left to do?
- Were there any surprises and/or lessons learned?
Cyber Risk Mitigation: Are We Done?
What your executives and board really want to know is if the situation has been contained and what assurances you can provide that the risk has been dealt with appropriately.
To have a defensible position to answer questions like these from the board (or the audit committee in the future), you’ll need documentation, documentation, and more documentation! Your incident response, patch management, and zero-day vulnerability plans will likely all be required to capture all the processes, communications, and steps taken to address and validate that the risk has been mitigated.
This documentation should be comprehensive, including not only the plans but also:
- The emergency change processes that you executed
- The people who were involved
- Patching and segmentation details (how and when systems were prioritized and patched/segmented)
- How systems related to critical processes
- How processes were stratified
- How enforcement rules were altered and deployed
The goal is to show exactly what was done, when, and how, so you can demonstrate due care and report the elements that your board, as well as regulators and auditors, are looking to understand.
Keeping Executives Informed: Recovery Is a Journey Not a Moment
If the board asks, "Are you done? Is it contained? Did you finish up?" it's important to frame recovery as a journey, not a point-in-time experience. Recovery is an ongoing process that’s about coming back stronger and faster.
This means you need to sit down and have the recap meetings that help you uncover lessons learned and figure out where you could have saved time or done something differently or better. When time is of the essence, the documentation that we’ve discussed is critical to making sure that nothing is missed, no stone left unturned, and no step left out. But it’s also important to identify and then take care of the small stuff that can make a big difference in the efficiency of your operations.
For example, having easy-to-follow call trees for certain circumstances and business impact reports that tell you where your key assets are can save you a lot of time and effort when you're having the most stressful day of your life. Hindsight’s 20/20, so take the time to figure out what would have been useful and then explain to the board what you are doing to come back stronger.
By framing your answers to the board’s questions as a journey, you can remind them that security is never finished and never perfect, but it can keep getting stronger and more effective. Remember, “the day of the dance is not the day to learn to dance,” so, in addition to documenting everything meticulously, don’t forget to rehearse, rehearse, rehearse/practice, practice, practice, rinse and repeat. Let the board know how you are using every single opportunity to prepare and bolster your capabilities and what you are doing to make sure the next time will be even better (because, as we all know, there will always be a next time).
Check out part three of the series, which looks at how to answer, “What due diligence and assurances have we conducted?”
Learn more about how to talk to your board about cyber risk mitigation by watching this video:Learn more about how to talk to your board about cyber risk mitigation by watching this video:
Get in Touch
Remember to ask for Unit 42 by name with your cyber insurance carriers if you need incident response services.
If you think you may have been impacted by the Log4j vulnerability or any other major attacks, please contact Unit 42 to connect with a team member. The Unit 42 Incident Response team is available 24/7/365. You can also take preventative steps by requesting a Proactive Assessment.