top of page

What if Boards Starts Asking the Right Cyber Security Questions? 

sanchit21

Updated: Dec 10, 2024


People raising hands to ask question
Are you asking the right questions?


When Boards of Directors begin asking the right questions about cybersecurity, it marks a pivotal shift in how organisations approach security. This transformation does more than strengthen an organisation’s defences—it enhances its overall security culture and resilience. 


We believe there are three types of organisations: those that have been hacked, those that are yet to be hacked, and those that are hacked but don’t know yet. Despite this reality, cybersecurity often remains isolated in board discussions, disconnected from the broader risk management framework. However, this gap is beginning to close, driven by an evolving regulatory environment and growing awareness of cyber threats.


The problem with the Board of Directors and Cyber Security 


Let’s face it: Board of directors are not cyber security savvy. Most of the questions asked today in the Board meetings demonstrate interest, but it will not help them understand the state of security posture and only focus on understanding high-level metrics. 


The broken record of business following a breach or incident 


Following breaches and incidents, we usually hear the following two general statements from the business:  


  • This was a sophisticated attack, and  

  • we take security very seriously.  


The reality is that most breaches are not that sophisticated and could have been avoided by deploying simple controls. Additionally, when Boards don’t take tangible steps to keep their business accountable for cyber security responsibility, it means that businesses simply don’t take security seriously. 


Growing Awareness of Regulations and Accountability 


Boards are increasingly recognising their role in cybersecurity governance, driven in part by regulatory and legislative pressures. Data breaches have changed the way boards think about cyber, and new legislation shows that the Government is catching up too.  New laws, such as the Cyber Security Act 2024 and updates to existing legislation, like the Privacy Act 1988 (including the POLA Bill 2024), have brought cybersecurity firmly onto the Board’s agenda. Government initiatives, such as the implementation of the Notifiable Data Breach Scheme, the SOCI Act, and CPS 234 for APRA-regulated entities, highlight the need for proactive actions. 


Put simply, these laws and regulations underscore a reality: boards can no longer afford to remain passive. They must move beyond surface-level assurances and begin critically examining their organisation’s cybersecurity strategy, resilience, and risk management practices. 


Preparing for Board-Level Scrutiny: A Call to Cybersecurity Leaders 


Cybersecurity leaders must rise to the challenge by ensuring their programmes are: 


  • Strategically Aligned: Cybersecurity initiatives should support overall business priorities. 

  • Comprehensive and Robust: Every aspect, from endpoint security to cloud protection, must be watertight. 

  • Transparent and Communicable: Leaders must present risks, strategies, and progress in terms that resonate with board members. 


Nowadays, most Board members see cyber risk as a technical problem and view the accountability of cyber risk as IT; these are somehow true, but the consequences of cyber breaches are far greater and will impact the business bottom line, future growth and customer retention and acquisition.  


The board’s role is not to become cybersecurity experts but to provide effective oversight. By equipping themselves with the right tools, asking probing questions, and insisting on meaningful answers, boards can lead their organisations towards a more secure future. 

 

Asking the Right Questions: Where Boards Must Start 


Effectively overseeing cybersecurity relies on asking the right questions; by seeking detailed and actionable answers, boards can transition from passive oversight to active engagement. Key questions include: 


  1. Does our risk management program address all cyber risks comprehensively? Cyber risks evolve constantly, requiring an adaptable and robust risk framework. 

  2. Is our approach to cybersecurity within our risk appetite 


Cyber risks must, like other risks, align with the risk appetite. 


  1. What lessons have we learned from recent cyber incidents? Are we continuously improving? Boards must understand whether incident reviews result in tangible improvements. 

  2. Do we have a clear understanding of where our data is, how it is used, and who has access to it? Questions about data inventory, storage, access controls, and vulnerabilities are vital. 

  3. How do we manage risks with suppliers, partners and third parties? With supply chain breaches are on the rise, limiting third-party access to only what’s necessary is crucial. 

  4. What is our cybersecurity maturity level, and how is it measured? Boards should encourage regular evaluations and clear maturity metrics. 

  5. Are we prepared for a cyber incident? A tested and well-rehearsed incident response plan is now a business-critical asset. 

  6. How do we ensure compliance with relevant laws and regulations? Boards need clarity on compliance strategies, reporting mechanisms, and legal obligations. 


Asking the right questions is just the beginning. Integrating cybersecurity into business goals demands meaningful metrics. Boards should also identify leaders within their ranks to promote resilience and foresight across the organisation championing a culture of accountability. 


Building realistic security metrics that are regularly presented to the board is a vital tool that allows board members to really understand the state of cybersecurity in their business. 


Conclusion: Start changing the culture of Boards now 


Boards cannot afford to wait for the next major breach to take cybersecurity seriously. The time for action is now. By enhancing their oversight and asking the right questions, requesting frequent updates with the correct metrics, boards can drive substantial improvements in their organisation’s security posture. 


Cybersecurity leaders, in turn, must be ready to provide the clarity, transparency, and strategic alignment that boards demand. The stakes have never been higher. Every question asked is an opportunity to strengthen defences and protect the organisation against the ever-expanding threat landscape.  


How we can help 


At Spartans Security, we have a long experience with working with the Board and senior leaders and building meaningful security metrics that make sense, align with business objectives, help the board have good governance over cyber security, and ultimately drive business to manage these risks successfully and therefore reducing the impact of next incident to the business. If you need to understand more, get in touch with our team at info@spartanssec.com  



Sanchit Kansara

Sanchit Kansara

 About the Author

Sanchit is a cybersecurity and privacy expert with over 18 years of experience helping organisations secure their digital environments. Holding certifications including CISSP, CISM, CISA, CIPM, CDPSE, CRISC, and ISO/IEC 27001 Lead Auditor, Sanchit specialises in risk management, governance, compliance, and privacy. He has led cybersecurity initiatives across finance, healthcare, and government sectors, leveraging frameworks like NIST CSF and Essential Eight to build resilient security programs.

As a vCISO and strategic advisor, Sanchit has successfully aligned security strategies with business objectives, driving measurable improvements in cybersecurity posture. Passionate about fostering strong security cultures, he has developed training programs that empower teams to manage cyber risks effectively, ensuring organisations can confidently navigate the evolving threat landscape.



12 views0 comments

Recent Posts

See All

Commentaires


bottom of page