Questions to ask yourself

Do I understand the cyber risks within my organisation?

Do I fully understand the Board’s cyber updates, briefings or papers, and how that information was generated?

Outside of Board meetings, do I speak regularly to the Board member accountable for cyber risk (Senior Information Risk Owner (SIRO), Chief Information Officer (CIO), or Chief Information Security Officer (CISO) to improve my understanding of the organisations threat profile, controls and processes?

Do I really know who is accountable for cyber risk on the Board, and who is responsible for managing cyber risks in my organisation? 

Am I confident there is sufficient segregation between them and those making decisions about the technological direction of the organisation? 

Is the board relying on technical staff to sign off cyber risk which may carry personal liability for each director? 

Are the cyber updates and briefings delivered in a way that enables the Board to understand the risk to patient care and allow for informed discussion on financial spending on risk mitigation strategies? clear enough to enable a strategic discussion which encompasses the wider environment?  

Do briefings cover the basic areas outlined in the Government’s 10 Steps to Cyber Security guidance? 

Does the Board regularly discuss the level of cyber risk and how much it is prepared to invest to manage that risk? 

Is the Board being offered choices or options in relation to cyber risk management?