Gestion des risques informatiques | Les administrateurs doivent poser les bonnes questions !
Voici le résumé d’un article paru dans le Wall Street Journal le 21 juillet 2015, basé sur un billet de NACD In The News*.
Les administrateurs doivent être au fait de la situation de l’entreprise eu égard à la sécurité informatique. Cependant, la plupart des administrateurs ne savent pas trop comment s’y prendre pour s’assurer qu’ils s’acquittent de leurs responsabilités.
L’article propose six questions que les administrateurs devraient poser à l’équipe de la sécurité informatique de l’entreprise afin de mieux saisir la problématique de la sécurité cyber informatique.
Ces questions ne couvrent certainement pas tous les angles mais elles ont l’avantage de contribuer à une meilleure connaissance, partagée par tous les administrateurs.
Les questions suggérées sont vraiment percutantes :
What was our most significant cybersecurity incident in the past quarter? What was our response?
What was our most significant near miss? How was it discovered?
How is the performance of the security team evaluated?
Do you have relationships with law enforcement, such as the FBI and Interpol?
Do you work with business leaders on due diligence of acquisition targets? With supply chain leaders on security protocols of vendors and other partners?
What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?
* Source: National Association of Corporate Directors (NACD)
Bonne lecture !
Boards are trying to build more productive, transparent relationships with cybersecurity chiefs to decrease the risk of attack. But directors can by stymied by a lack of basic security knowledge.
New guidance from the National Association of Corporate Directors suggests asking more searching questions of chief information security officers, including how they measure their teams and technology and whether they have ongoing contacts with the Federal Bureau of Investigation and other law enforcement bodies that investigate attacks.
The most common question directors ask of CISOs is whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management, said Phil Ferraro, a former CISO at Las Vegas Sands Corp. who now consults with boards. But that approach is simplistic, he said. “Directors don’t understand that no security is ever perfect.”
More productive are conversations about how to decrease the risk of attack and the process for managing one when it occurs, Mr. Ferraro said. For example, the NACD suggests boards continuously ask about the most significant cybersecurity incident in the prior quarter and how the security team handled it, so that the discussion may lead to better practices.
Key Questions Directors Must Ask Cybersecurity Chiefs
- What was our most significant cybersecurity incident in the past quarter? What was our response?
- What was our most significant near miss? How was it discovered?
- How is the performance of the security team evaluated?
- Do you have relationships with law enforcement, such as the FBI and Interpol?
- Do you work with business leaders on due diligence of acquisition targets? With supply chain leaders on security protocols of vendors and other partners?
- What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?
Still, there is no single set of questions directors can ask to uncover all cybersecurity weak spots, said Tom Glocer, a director at Morgan Stanley and Merck & Co. Inc., and the former CEO of Thomson Reuters Corp.
“My experience is that the horribly dangerous cyber threats are the ones you don’t even know about,” said Mr. Glocer, who chairs Morgan Stanley’s board-level technology committee.
But directors should engage CISOs in continuous discussion to let management know that the board “cares and is watching,” he said. Security is a regular agenda item at Morgan Stanley board meetings, discussed boardwide and in the risk and technology committees. Morgan Stanley is one of just 15 of the Fortune 100 with a formal technology committee at the board level.
At boards less versed in technology and cybersecurity, CISOs must often first educate directors about the range of potential security problems because many members “simply don’t know,” Mr. Ferraro said.
Just 11% of board members across industries say they have a “high level” of knowledge about the topic, according to a recent NACD survey of 1,034 directors.
An important check is for CISOs to talk with board members about developing a process to ensure they can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies, the NACD advised. “That’s something boards have got to pay attention to, because they’re on the line as much as management when something bad happens,” Mr. Ferraro said.