1. Overview

The Seven Step Consulting Cyber Security team is often asked by clients to provide board level position papers on cyber security. We know from experience that boards can make a real impact on reducing the likelihood of a successful cyberattack and in minimizing the reputational and financial impact when a successful attack occurs.

FTSE 350 Cyber Governance Health Check 2018, a UK government report found that only 16% of boards have a full understanding of the impact and disruption associated with cyberattacks, despite 96% having an established cybersecurity strategy. This significant lack of board-level cybersecurity awareness among FTSE 350 members is “alarming”. Also, there is growing evidence that cyber-attacks are now deliberately targeting executives and board members – not businesses themselves – which shows that attackers believe this group is particularly vulnerable as well as valuable.

2. Approach

Based on data collected from an Cybersecurity Posture Assessment and additional pertinent organizational information, such as enterprise and business unit revenue and business value of significant IT assets from the CISO and CIO point of view our experts will work to provide your Board access to the industry leading experience and focus in the areas such as:

We use our expertise, experience, processes and proven methodologies to help enterprises help address the toughest security challenges. Our experts can advise your board on the relevance of cyber security in the context of your own corporate strategy. Reviewing cyber security risks at board level and appointing a board member with specific cyber responsibility are key actions your business can take to reduce losses from any future breach. As a result, allowing the board to achieve its unique corporate mandate with confidence.

Frequent ongoing advisory sessions to the board yield successful outcomes in achieving cyber resilience.

3. Benefits

Our Board Level Cybersecurity Advisory service

4. Deliverables

Key Questions we will address for your Board of Directors:

1. What part of the Board should handle examination of cyber security risks? Should it be the whole Board? Should this responsibility be assigned to the Audit Committee? The Risk Committee (if there is one)? Should the Board create a “Cyber Committee” to exclusively deal with these issues? Should additional Board members be recruited who have specific cyber security experience?
2. How often should the Board (or Committee) be receiving cyber security briefings? In this world, which moves at light-speed and in which cyber breaches are reported daily, are quarterly briefings enough? Should the Board be receiving monthly briefings? Or more (given the industry type of the Company on whose board they sit, e.g. tech/IP company)?
3. Given the sheer complexity and magnitude of many cyber security issues, should the Board hire its own “cyber advisers” to consult on cyber security issues, and to be available to ask questions of the Company’s senior management, CTOs, and CIOs?
4. What are the greatest threats and risks to the Company’s highest-value cyber assets? Does the Company’s human and financial capital line up with protecting those high-value assets?
5. What is the Company’s volume of cyber incidents on a weekly or monthly basis? What is the magnitude/severity of those incidents? What is the time taken and cost to respond to those incidents?
6. What would the worst-case cyber incident cost the company in terms of lost business (because of downtime of systems that were attacked and need to be brought back and because of the harm to the Company’s reputation as a result of the attack)?
7. What is the Company’s specific cyber incident plan, and how will it respond to customers, clients, vendors, the media, regulators, law enforcement, and shareholders? Does the Company have a crisis management plan to respond to all these various constituencies, as well as the media (both print and electronic/high activity bloggers)? Finally, has the cyber incident plan been tested (or “war-gamed”) so that it is ready to be put into place on a moment’s notice?
8. What cyber security training does the Company give its employees?
9. What sort of “cyber due diligence” does the Company perform with respect to its third-party service providers and vendors?
10. In a mergers and acquisitions context, what is the level of cyber due diligence that is done as part of the consideration of any acquisition?
11. Has the Company performed an analysis of the “cyber-robustness” of the company’s products and services to analyze potential vulnerabilities that could be exploited by hackers?
12. Finally, should the Company consider adopting, in whole or in part, the NIST cyber security framework as a way or method of showing affirmative action to protect the company’s IP assets?

There are plenty of tough questions that directors need to ask of its senior management and senior IT staff. And directors may need their own advisors and professionals to help them fulfill their oversight duties in helping to assess and ask the tough questions. Above all, take that first step, and contact us at any time for a no-obligation discussion on how we may be able to assist your organization today.