During my career, it's been my honor to have served alongside some of the most capable and talented corporate executives in the world. One such executive, Andy Geisse, now serves as Operating Partner at Bessemer Venture Partners, after having served as CEO of AT&T's massive $71B business services unit. (Yes, that is a seventy-one.) Andy and I have kept in touch since our departures from AT&T, and we've recently been going back-and-forth on something that I think you'll find interesting.
What we've been doing involves creating cybersecurity-related questions that board members can ask management teams, and that management teams can ask operational groups. We agreed that the questions must be direct and simple, but that they must also be substantive enough to stimulate useful discussion. Our select categories focused on typical board and senior management responsibilities, which led us to the following six areas: Risk, compliance, technology, architecture, innovation, and personnel.
One nuance in our discussion was our sincere belief that slightly different questions would be suitable for corporate board members and senior management teams to use. Obviously, both entities share the goal of ensuring proper security governance and execution, but senior managers should be probing slightly deeper than board directors - and this is hopefully evident in our questions below. We tried hard to trim things down, and ultimately arrived at ten questions for boards to ask, and twenty for senior management.
Below are the questions we agreed upon, along with a brief recommendation on how the interrogator might go about interpreting answers received. Hopefully, such commentary will be unnecessary, since our questions include no buzzwords, nothing particularly complex, and only straight-talk about common-sense issues. We hope that you will forward this article to any board members or executives in your orbit, and that they will cut-and-paste these questions into the agenda for their next cyber-related review.
------------- clip here and send to your Board of Directors ------------
Board Question 1 (Risk): What are the greatest risk areas to our organization from the perspective of cybersecurity, and how are they categorized? (The answer should not be vague, but should instead clearly and directly connect cyber risk to business objectives and goals.)
Board Question 2 (Risk): What are the major functional, procedural, policy, and governance means by which we mitigate these identified cyber risks? (This answer should include sufficient detail to demonstrate a good working knowledge of the mitigation methods.)
Board Question 3 (Risk): What is the recommended method for the Board to measure and monitor cyber risk? (This can be answered by explaining possible frameworks and even commercial platforms that can establish a meaningful metric.)
Board Question 4 (Risk): Have we seen specific, directed cyber threats against our organization, and do we believe we have any known adversaries? (The response here can include specifically-named adversaries, or might just include a broad survey.)
Board Question 5 (Risk): How will we respond to serious cyber incidents that might negatively affect our customers or brand? (The organization should have predefined incident response procedures, including public relations statements that have been pre-vetted before an incident occurs.)
Board Question 6 (Compliance): What security frameworks do we use when audited, and how do we stack up against the requirements? (This should not be a formal answer with detailed mappings, but rather a general answer of how well the organization does with framework requirements.)
Board Question 7 (Compliance): What specific audits have we been subjected to, both internal and external, and how are we doing in such audits? (This is a question that is rarely asked, and many specific external security audits, often by large customers, are performed without reports to the board or senior management).
Board Question 8 (Compliance): What overall cybersecurity solutions and risk reduction measures should be deployed that are not currently in place? (The board should not assume that compliance frameworks will achieve this objective, even if the answer is a return to basics.)
Board Question 9 (Innovation): Do we stack up well against our competitors in cybersecurity? (This should be answered with evidence that the organization is within reasonable bounds of how other organizations address cybersecurity. Most companies invest roughly 5% of the IT budget for cyber, for example.)
Board Question 10 (Personnel): Do we have the right team in place for cybersecurity? (This question should be answered carefully, with attention to the tenure of the current Chief Information Security Officer. High turnover on the security team is a bad sign.)
------------- clip here and send to your Management Team ------------
Management Question 1 (Compliance): Which security compliance frameworks do we address in our company? (The answer should be crisp and should highlight relevant frameworks such as the NIST 800-53 or the Payment Card Industry (PCI) Data Security Standard (DSS).)
Management Question 2 (Compliance): Do our auditors understand our security infrastructure and are they addressing the right issues? (The answer should include input from both the internal and external auditors, as well as the lead information security executive.)
Management Question 3 (Compliance): What governance, risk, and compliance (GRC) processes and automation do we use? (The answer should reference use of a specific GRC platform and associated methodology for automating, managing, and tracking risk.)
Management Question 4 (Compliance): What are the one or two key compliance metrics worth tracking? (The answer should be consistent with metrics presented to the board and should not be complex or difficult to interpret. Number of actionable insights per year is an example.)
Management Question 5 (Technology): How do we canvass, review, and select the most appropriate security technologies? (The answer is that a source selection process for vendors and technologies should be in place with proper criteria for product and service procurement.)
Management Question 6 (Technology): Which security technologies are currently working well, and which are not? (The answer is that certain technologies such as real-time attack detection and anti-virus software might be considered suspect, whereas others might be more effective.)
Management Question 7 (Technology): What security technologies will be important to our organization in the next five years? (The answer should identify a few technologies that can be clearly connected to the objectives of the business in the coming years.)
Management Question 8 (Technology): If we had an unlimited budget, what technologies would we buy that we do not currently have? (The answer should be clearly stated, perhaps focusing on artificial intelligence, contextual authentication, or other emerging technologies.)
Management Question 9 (Architecture): Can our current security architecture be described in simple terms? (The answer here is not an easy one, so expect some difficulty in providing an answer. There should, however, be some basis for the security set-up.)
Management Question 10 (Architecture): Who is responsible for security architecture planning and design? (The answer should be clear and should not include too much distributed responsibility. Operations can be distributed, but planning and design should be centrally coordinated.)
Management Question 11 (Architecture): What are we doing to address enterprise security perimeter weaknesses? (The answer should point to an evolution to a perimeter-less architecture using cloud, mobility, and virtualization to reduce risk of firewall leakage.)
Management Question 12 (Architecture): How will cloud and mobility technologies factor into our evolving security architecture? (The answer should be that cloud and mobility are central in the protection of data for internal and third-party usage.)
Management Question 13 (Innovation): Have we implemented any innovative new protections in recent years? (The answer should include at least some modern cyber protections based on recent innovation such as machine-learning security.)
Management Question 14 (Innovation): What security-related intellectual property and patents do we currently hold rights to? (The answer should clearly define the IP and patents the organization might have rights to, or own.)
Management Question 15 (Innovation): What process do we follow for performing security research and development? (The answer should address how the organization performs or takes advantage of world-class research and development in cybersecurity.)
Management Question 16 (Innovation): How do we encourage and support security innovation in the company? (The answer should describe how employees and third-parties are encouraged to innovate to improve cybersecurity.)
Management Question 17 (Personnel): Can you provide evidence that our information security team is world-class? (The answer to this question should include clear evidence of team competence including past performance, experience, and expertise.)
Management Question 18 (Personnel): Are we paying good salaries and offering a desirable environment for the security team? (The answer to this question should include benchmark data showing how salaries match up with industry. Retention metrics would be useful in the answer as well.)
Management Question 19 (Personnel): How do we recruit fresh blood and new talent to the security team? (The answer to this question should include clear evidence of how team members are recruited, including any university programs.)
Management Question 20 (Personnel): Do we nurture our external reputation and interaction with the security community? (The answer to this question should address how the security team interacts with the standards community, conferences, and forums.)