Cyber security – What do the boards need to ask ?

IT security audit organization ISACA and the Institute of Internal Auditors (IIA) are trying to provide answers on the proper role of board members.

They strongly recommend that boards ask the following six questions:

1. Does the organization use a security framework? Examples include ISO 2700x, COBIT or for instance PCI-DSS for credit card acceptance.
2. What are the top five cybersecurity risks the organization faces? How is it addressing new challenges like mobile devices, the bring-your-own-device trend, or cloud computing?
3. How are employees made aware of their role related to cybersecurity? Does every employee receive some basic cybersecurity awareness training?
4. Are both external and internal threats considered when planning cybersecurity program activities? Although external incidents tend to receive more media exposure,  the likelihood of an internal incident causing a major cyber incident is actually greater.
5. How is security governance managed within the organization? The board should understand how the three lines of defense are implemented and make sure there are no gaps between them, such as confusion about the responsibilities of the CISO vs. the auditors.
6. In the event of a serious breach, has management developed a robust response protocol? What incident response and crisis management approaches are in place?

ISACA and IIA promote the concept of the three lines of defense, a sort of in depth defense for enterprise governance, such as illustrated below

If an organization has an effective governance model, the second line of defense is responsible for performing the majority of the governance functions related to cybersecurity. Typically, this role is headed by the CISO, who defines the policies, standards, and technical configuration standards.

The first line of defense (usually the IT operations function) then implements those policies and standards and is responsible for day-to-day monitoring of the networks and infrastructure.

In its second line of defense, the  CISO organization is responsible for governing those tasks and ensuring that IT is performing the appropriate  monitoring, reporting, and tracking. As the third line of defense, internal audit is responsible for ensuring that the first and second lines of defense are functioning as designed.