Questions to ask yourself

Do I know and understand the cyber risks of my organisation?

Do I understand the board’s cyber updates, briefings or papers? If you are currently not in receipt of these, should you make a request.

Outside of board meetings, do I regularly speak to the members accountable for cyber risk – SIRO (Senior Information Responsible Officer), Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to improve my understanding of the organisation’s threat profile, controls and processes?

Do I know who is accountable for cyber risk on the board and who is responsible for managing them in the organisation?

Am I confident there is sufficient segregation between those accountable and those making decisions about the technological direction of the organisation?

Am I aware that technical staff may be accepting risk on behalf of the board, when they do not have the delegated authority to do so?

Are the updates and briefings tailored to enable the board to understand the risk to their strategic objectives?

Are cyber risk management strategies presented in a way that facilitate informed financial spending discussions at strategic level?

Do briefings cover the basic areas outlined in the Government’s 10 steps to cyber security guidance?

Do I regularly discuss the level of cyber risk and how much is prepared to invest to manage that risk?

Am I being offered choices or options to manage cyber risk?

Do I understand the cyber risk landscape/posture of the organisation and how much untreated or residual risk we are holding?

How confident am I that when a cyber incident occurs everyone knows their role and responsibilities including escalation?