Cyber security questions for boards7

???????

risk oversight is a

function of the full

Board…yet

NACD  DIRECTOR’S  HANDBOOK  SERIES  2014  EDITION  

Did you know 50% OF BOARDS

SEE Cyber Security AS AN I.T. ISSUE?

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

That means 50% Are doing

it wrong

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

full Board

involved in

cyber risks =25%

Good

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

no Board

INVOLVEMENT in

cyber risks =30%

Bad

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

26% OF BOARDS SAY CISO or CSO

makes a presentation to the Board once

a year

UGLY

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

28% SAY their security

leaders make no

presentations at all.

UGLIER

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

What about 3rd Party vendors?

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

23% do not evaluate 3rd parties - that number is

probably much higher

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

cyber training is neglectedKPMG Poll

only 50% of EMPLOYEES RECEIVE

PERIODIC cyber TRAINING

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

PWC:  US  cybersecurity:  Progress  stalled,  Key  findings  from  the  2015  US  State  of  Cybercrime  Survey

only 50% of EMPLOYEES

RECEIVE Initial cyber

TRAINING

Cyber Security’s biggest obstacle?

Cyberedge Group 2016 report

Low security awareness among

employeesCyberedge Group 2016 report

So here are the 7

questions

How are key business processes

affected by different types of

cyber attacks?

(i.e. Ransom ware, Denial of service,

Data breach, etc)

1

Leads to discussion on what type of

cyber security we have and why

1

Is our physical

security adequate & is

it congruent with our

cyber security?

2

the two are

interrelated

NACD  DIRECTOR’S  HANDBOOK  SERIES  2014  EDITION  

2

who are our 3rd party

vendors?

3

and what risks do

they pose?

3

who is responsible for

cyber security

training?

4

HR, IT, CISO, etc?

4

Have officers and

directors received

cyber security /

information assurance

training?

5

these are high profile,

high risk positions

\

5

how do we vet our

administrators?

\

6

snowden was a

contractor…just

saying

\

6

who’s working for

you?

\

6

who does the ciso

report to and why?

\

7

Cyber security questions for boards71. How are key business processes affected by different types of cyber attacks?

2. Is our physical security congruent with our cyber security?

3. who are our third party vendors?

4. who is responsible for cyber security training?

5. have officers and directors received cyber security training?

6. How do we vet our administrators?

7. Who does the ciso report to?

www.paulmcgillicuddy.com

Share please