Suppose you get a call from a college classmate with the following pitch:
"David, I want to give you the opportunity of a lifetime. We started up our business last year called 'Super Duper Application.' We tested it, and we put it on the Apple App Store. It has done resoundingly well since then. We now have thousands of customers who love the Application. We also just finished our last financing round, and we now have a one billion dollar valuation, making us a unicorn. We need to take this project to the next level. We need to grow the business with new applications, get more customers, and go public next year. We need you on our board. It's the opportunity of a lifetime."
I am sure that over the last few years, there have been hundreds of individuals who have gotten calls similar to the one above. Some who have accepted the Board of Directors challenge have done phenomenally well – others not so much. Part of any new director’s job, however, is due diligence before taking a board position. That includes due diligence around the company’s financial reporting processes, internal controls and cyber security defensive posture, especially for a business like "Super Duper Application," where the whole business is centered on the Internet, R&D and customer sales. We often get asked what questions directors should be asking about their company’s cyber security posture. Our recent book Navigating the Cyber Security Storm lists hundreds of possible questions. But in an effort to narrow things down for an initial director interview, here are the 10 top questions we would ask if we were asked to join the Board of "Super Duper Application": 1. What was the company’s cyber security budget last year? What was the company’s cyber security budget this year? What improvements were made to the defense of the network this year? How much of the budget was spent on employee training and awareness programs? Make sure the company is paying attention to their defense – good defense costs money. Find out what hardware they are spending their money on. If it’s purely on anti-virus, that's not a good thing. The world is moving towards continuous monitoring, automation and orchestration. Make sure the company isn’t cheaping out on cyber security or spending money in the wrong areas. 2. What are the top five cyber security threats to the company? And what is the company doing about them to protect their network, customers, clients and shareholders? Does the company understand its threat environment? Does the company subscribe to any threat intelligence feeds? All these things are very important. If you don’t know where to look for a problem, you won’t know how to fix it. 3. Does the company adhere to any standardized cyber security policy like ISO 27001 or the National Institute of Standards and Technology Cyber security Framework (“the NIST Framework”)? Following a written policy provides process and discussion topics. "Seat of the Pants" cyber security has not worked for any company that I know of. 4. What are the company’s most important IP and customer assets? How has the company valued them internally in terms of importance? And how are they being protected today? These questions are the first two prongs of the NIST Framework and probably the most important questions that one could ask. Why? You can’t protect what you don’t know you have, keep, or store. And you cannot organize your defenses accordingly if you haven’t valued your most important assets (your "crown" jewels). Ultimately, you need to most protect that which values the most to you. If it is R&D for new applications, segment this data from other parts of your networks, encrypt it, tokenize it, or put it in the cloud so it is away from harm. Take what assets are most important to you and protect them within an inch of your life. 5. Where are your most important IP or customer assets located? On-premises? In the cloud? If in the cloud, where are the servers located? This question is important for a number of reasons. There will be different defensive strategies depending upon where the data is located. On-premises means your data is in the data room down the hall. By contrast, the "cloud" could be anywhere – in the United States, UK, or elsewhere. And if the data is stored in the cloud, there are different strategies to make sure the data and traffic are visible to the company and secure (perhaps either through encryption or tokenization), and there are unique data privacy concerns that the company will likely need to address. 6. Does the company have an incident response plan, a business continuity plan and a crisis communications plan to deal with the aftermath of a breach? These three plans are the holy grail of good cyber security planning. A cyber security incident response plan deals with triaging cyber security incidents within the company, including how those incidents are remediated and then communicated to the C-Suite and the Board of Directors. Recovering from a breach is hard enough – doing so without a plan is nearly impossible. A business continuity plan deals with the aftermath of a breach and what needs to be done to get the network back up and running with as little downtime as possible. Primarily, it addresses the need of having tested back-up media that's ready to be booted at a moment’s notice in the event the main system goes down. Finally, a crisis communications plan deals with notifications, letters and information imparted to customers, investors, clients and vendors. Crisis communications plans are usually pre-orchestrated, so that no one has to think when they are in the middle of a crisis. 7. When was the last time the incident response plan, business continuity plan and crisis communication plan were reviewed, tested and table-topped, so that all involved were made fully aware of the playbook and their roles? Plans that are drafted and then put in a drawer to gather dust are no good to anyone. Given the seriousness of some cyber attacks (e.g. Sony Pictures Entertainment), plans need to be practiced and tested to make sure they work, so that network downtime can be limited as much as possible. Having a tested plan that works well conveys confidence to the markets, investors and customers that the company is fully in control. 8. When was the last time the company did spear-phishing training for its employees and executives and awareness training to deal with business email compromise (BEC) scams? These questions are self-evident. Training is important, especially when spear-phishing is the most prevalent threat vector that companies face. Employees need to understand that clicking on an unknown link or attachment is never a good idea. 9. How often does the CISO address the board on cyber security issues? Does the CISO report to the CIO or the CEO (or head of the Audit or Risk Committee)? These are subtle questions, but they are important ones. The CISO needs a seat at the table within any organization and access to the CEO or the Board. The cyber risks a company faces can be devastating and can result in loss of clients or market capitalization. Conversation cannot grind to a halt at lower levels and get upended over issues like costs. Risks need to get transmitted to the Board of Directors; otherwise, it will not be able to fulfill its oversight duties. Cyber security is not just an IT problem – it is everyone’s problem. With that in mind, cyber risks should be discussed at least quarterly with the full board of directors. 10. When was the last time the company did a vulnerability assessment? When was the last time the company did a compromise assessment? Again, these are subtle questions but important ones. Periodically (we recommend at least quarterly), companies need to do vulnerability assessments to see if their network has any particular vulnerabilities that can be exploited. Have all patches been performed? Have all laptops, iPads, and iPhones been updated? The days of "patch and pray" are over. Companies need to continually assess the security of their network. Finally, a compromise assessment can tell if the company has already been hacked. It is better to know that you have been hacked at the earliest possible moment, so that remediation efforts can happen as soon as possible. Conclusion The above list of questions is good for starters. It can give a director some sense whether or not the company is on the right track when it comes to dealing with cyber security risk. We would lastly note that in addition to the above, we recommend that all companies consider buying standalone cyber security insurance to help transfer some of the risks and costs of a breach to an insurance carrier for a fair premium. Buying cyber security insurance to us is just another indicator that cyber security risk is being dealt with seriously by a company. Though being a director of a hot startup can be fun and interesting, if that startup is hacked, it will be much more disheartening experience. Better to know beforehand what you are getting into.
About the Author: Paul Ferrillo is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cyber security, Data Privacy & Information Management practice, where he focuses primarily on cyber security corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cyber security postures and the regulatory requirements which govern them. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock
