ACI Leadership Series: Cybersecurity Questions Boards and Executives Need to Ask
Leadership
Cybersecurity Questions Boards and Executives Need to Ask: A discussion with Wes Spencer – Webinar Notes
Hosted by Daniel Lowrie, ACI Learning edutainer.
Introduction:
The purpose of this guide is to serve as a complementary aide to help you follow along in our recent Leadership Series webinar episode, “Cybersecurity Questions Boards and Executives Need to Ask.” In this interview, our friend Wes Spencer - a nationally recognized technology innovator and cybersecurity expert - discusses what boards should be asking about cybersecurity. Have these notes ready, then watch our full interview.
Introduction:
Business outcomes are crucial for MSPs, focusing on technical details can be challenging.
Empathy is key to understanding what can impact the business's operations and growth.
Effective communication involves teaching, tailoring, and taking control of the cybersecurity conversation.
Compliance and Cybersecurity:
Executives often believe that being compliant means they are secure.
Compliance is the minimum standard, not the maximum.
Compliance does not guarantee security tomorrow; it only sets the floor.
Residual risk remains, and continuous improvement is necessary.
Emphasize the importance of security frameworks and peer analysis beyond compliance.
Questions for Executives and Boards:
Understanding Compliance:
How do we ensure executives understand that compliance is the baseline, not the endpoint?
What strategies can be employed to convey that being compliant today doesn't guarantee security tomorrow?
Continuous Improvement:
How do we convey the idea that cybersecurity is an ongoing process of improvement?
What methods can be used to encourage executives to see compliance as a starting point rather than a final destination?
Security Frameworks and Peer Analysis:
How can we incorporate security frameworks and peer analysis into discussions with non-technical leaders?
In what ways can these tools be effectively communicated to decision-makers?
Yellow/Green/Red Systemic Indicators:
Raw data should be transformed into systemic indicators for high-level board discussions.
These indicators can help gauge the overall cybersecurity posture and identify areas that need attention.
Key Questions for Boards:
Employee Training:
Are all employees receiving cybersecurity awareness training?
Have we met the minimum standards for training, particularly in areas like phishing?
EDR Alerts and Response Time:
How many EDR (Endpoint Detection and Response) alerts are we experiencing?
What is our response time to these alerts?
Risk Assessment:
What are our yellow, green, and red indicators in terms of cybersecurity risk?
How frequently are these indicators assessed and communicated to the board?
Budgeting for Security:
How can the board be reminded of the cost of not addressing cybersecurity risks?
What budget considerations are necessary to manage and mitigate identified risks?
Data Presentation:
The board should not be overwhelmed with raw data; instead, present information in terms they can relate to.
Utilize yellow and red indicators as opportunities to empower the board to take action.
Relate data to the cost of not addressing cybersecurity issues, including budget and potential operational disruptions.
Strategic Discussions:
Translate raw data into actionable insights that prompt strategic discussions.
Board members are not cybersecurity experts, so present information at a high level.
Encourage a shift from the server room to the boardroom by presenting information in a way that aligns with their strategic concerns.
