Key Cybersecurity Questions Boards Need to Address



Cyber protection is no longer a technical issue; it is a business issue requiring board attention, and cybersecurity needs to be approached in a holistic manner, states a new report from global IT association ISACA. The guidance, titled “The Cyberresilient Enterprise:  What the Board of Directors Needs to Ask,” was released late last week.

The new paper describes the need for governance over critical cyber events to help reduce the impact of cyber incidents and restore normal business. Included in the in-depth guidance are 19 key questions board members should ask to create a resilient enterprise that connects protection and recovery to the goals of the organisation and implements programs for the sustainability of essential services.

“Today’s attacks on enterprises are persistent and advanced, no enterprise is 100% secure. It is no longer sufficient to only focus on prevention and detection,” said Ron Hale, Ph.D., CISM, chief knowledge officer of ISACA. “As the paper points out, board members need to evaluate the operational risk inherent in today’s digital business and direct management to ensure that the enterprise is more than just protected—it is resilient. This guide offers key questions boards should be asking to become a resilient enterprise and continue its mission of value creation.”

According to the paper, to be cyber resilient the enterprise must understand and prioritise stakeholder needs, identify the core business processes needed to meet the mission and goals of the enterprise and understand the potential impact a cyber event will have on the business. Key questions boards should ask include:

  • Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services?
  • Is the board routinely informed about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand?
  • To what extent have essential services and functions been identified and programs implemented to provide for their resilience in the event of a disruption or cyber incident?

The paper also spells out ways enterprises can maximise business continuity and sustainability by:

  • Responding when an incident is detected.
  • Having an integrated capability that connects protection with detection, response, recovery the continuance of core services and functions.

“Incident response is crisis management,” said Hale. “Enterprises need to consider cybersecurity from this standpoint and be part of an integrated and holistic, enterprise wide approach.”

Download the free white paper at