12 Questions About Security That Boards Must Ask
With the ever-growing number of data breaches companies face, a corporate board must elevate its presence as a watchdog to ensure enterprisewide accountability in the interest of cyber-security. Toward this end, ISACA (previously known as the Information Systems Audit and Control Association) offers the following 12 questions that board members must ask of themselves and of their business and IT leaders to ensure that all factors affecting incident response, business continuity and information assurance are addressed. The questions are taken from a recent ISACA report, "The Cyber-Resilient Enterprise: What the Board of Directors Needs to Ask." Companies are taking, on average, 170 days to detect attacks from outsiders and 259 days when insiders are involved, according to the Ponemon Institute. Therefore, isolated security approaches are outdated, according to ISACA, which states that more cohesive, proactive strategies best position organizations to safeguard their informational assets. Organizations need to "connect protection and recovery to the mission and goals of the enterprise," according to the report, "implementing integrated programs in order to provide sustainability of essential services. Board members need to evaluate the operational risk inherent in digital business and direct management to ensure that the enterprise is more than just protected—it is resilient." By asking these questions, board members help ensure that key operations can proceed seamlessly even after an attack, and that advances in business technology will not invite potentially crippling risks. Here are the 12 questions—which IT and business leaders should be prepared to answer.