CIOs can start by arming their boards with the right questions, none of which are technical. For instance, have we undergone an external assessment of our cyber recovery plans, and what’s our action plan based on that assessment? Another area ripe for board investigation is whether or not there’s been penetration testing or any other tests that mimic the actions of cyber criminals. Are those tests done regularly and how’s our performance?
Developing areas of expertise
External assessments, says Ragland, are powerful tools for CIOs, too. “With boards seeking external validation on risks, just as they would financial fiduciary through an audit, it’s the executive responsibility of CIOs to provide them with that information, as well as having a fresh set of eyes on an always changing landscape,” she says. Audit and IT services have cybersecurity practices, and The National Association of Corporate Directors has recommendations for external assessments.
Boards want to build up their role in cyber, and they’re changing board member selection criteria as a result. “Boards shouldn’t limit their addition of technology expertise to security,” says Ragland. “Yes, security expertise is critical, but so is a board member who can address the strategic opportunity that technology brings to organizations. How are we using technology to advance our strategies, products, and customer engagements? As boards look to technology skills, they should look for someone who can bring both flavors into the board room.”
