CIOs can start by arming their boards with the right questions, none of which are technical. For instance, have we undergone an external assessment of our cyber recovery plans, and whatâs our action plan based on that assessment? Another area ripe for board investigation is whether or not thereâs been penetration testing or any other tests that mimic the actions of cyber criminals. Are those tests done regularly and howâs our performance?
Developing areas of expertise
External assessments, says Ragland, are powerful tools for CIOs, too. âWith boards seeking external validation on risks, just as they would financial fiduciary through an audit, itâs the executive responsibility of CIOs to provide them with that information, as well as having a fresh set of eyes on an always changing landscape,â she says. Audit and IT services have cybersecurity practices, and The National Association of Corporate Directors has recommendations for external assessments.
Boards want to build up their role in cyber, and theyâre changing board member selection criteria as a result. âBoards shouldnât limit their addition of technology expertise to security,â says Ragland. âYes, security expertise is critical, but so is a board member who can address the strategic opportunity that technology brings to organizations. How are we using technology to advance our strategies, products, and customer engagements? As boards look to technology skills, they should look for someone who can bring both flavors into the board room.â
