20 Questions for the CISO

By Simon Tweddle

As the guardian of a financial firm's information, the Chief Information Security Officer (CISO)'s role cannot be overstated. With the financial sector under the microscope for security and compliance, it's so important for Boards to dive into the CISO's realm and be brave when taking on technical subjects. Engage with your CISO on these questions and challenge them to provide answers in plain English. Fortify your cybersecurity framework:

1️⃣ Cybersecurity Alignment: How does our current security posture compare against industry standards and regulations?

2️⃣ Risk Management: What's our approach to identifying and prioritising cybersecurity risks? Have our top threats been identified?

3️⃣ Industry Threats: What does the current threat landscape in our sector look like, and what is our defence strategy?

4️⃣ Data Security: How is sensitive payment and customer data safeguarded across all platforms?

5️⃣ Incident Response: Can you outline our incident response plan, its testing frequency, and the outcomes of the last test?

6️⃣ Breach Handling: What mechanisms are in place for swift breach detection and response? What's our response time average?

7️⃣ Third-Party Security: How do we ensure third-party vendors align with our cybersecurity standards?

8️⃣ Employee Training: Status of our cybersecurity awareness programs and their effectiveness?

9️⃣ Regulatory Compliance: How do we stay compliant with global and local cybersecurity regulations?

🔟 Cybersecurity Investment: What's our strategy for cybersecurity spending in the coming year?

1️⃣1️⃣ Program Effectiveness: How do we evaluate our cybersecurity measures? What metrics or KPIs are in play?

1️⃣2️⃣ Insurance Coverage: Do we have sufficient cybersecurity insurance coverage?

1️⃣3️⃣ Business Integration: How is cybersecurity integrated into our business strategy?

1️⃣4️⃣ Cyber Incidents Review: Can you share insights from any recent cybersecurity incidents?

1️⃣5️⃣ Emerging Technology Security: How are we securing new technologies and digital initiatives?

1️⃣6️⃣ Access Management: What controls are in place for access management, especially for privileged users?

1️⃣7️⃣ IT Resilience: How do we ensure our IT infrastructure is resilient against attacks, including ransomware?

1️⃣8️⃣ Industry Collaboration: Can you speak to our collaboration with industry groups and law enforcement on cybersecurity?

1️⃣9️⃣ Staying Current: How do we keep abreast of the evolving cybersecurity landscape and remain agile against new threats?

2️⃣0️⃣ Board Support: What additional support and resources are needed from the Board to bolster our cybersecurity posture?

These questions span strategic, operational, and compliance dimensions of cybersecurity, offering the Board a thorough understanding of the organisation's cybersecurity endeavours and challenges. The insights gained will illuminate the firm's defence capabilities and highlight areas for improvement. 🛠️🔍

Previous
Previous

How can Enterprise Risk interact with the CISO?

Next
Next

EU council and Parliament propose an agreement for the strengthening of AML and CFT controls.