Ten Questions Directors Should Ask About Cybersecurity Culture

A Board of Directors has a responsibility for overall cultural direction in an organization. To exercise this responsibility the organization must first have a cybersecurity culture that will minimize the risks.

Cybersecurity culture is “the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest themselves in people’s behavior with information technologies.” (European Union Agency for Network and Information Security (ENISA), Cyber Security Culture in Organizations, Greece, 2017)

The directors need to ask the following questions:

1. What are the business functions in the enterprise with the highest exposure to technology breaches?

2. Is there a cybersecurity policy in place?

3. Has the policy been infused into the cybersecurity culture of the organization?

4. Has the policy been reflected in the operational processes of the organization, particularly in those areas of greatest risk

5. Have people with the appropriate skills been empowered to implement those policies and procedures?

6. What steps are being taken to reinforce the cybersecurity culture?

7. Are appropriate educational and training programs in place?

8. Is there a process in place for regular and periodic review of the health of the cybersecurity culture?

9. Have the main policies and procedures supporting the cybersecurity culture been documented to provide a cohesive understanding of that culture?

10. Are there steps in place for regular reporting and discussion with the Board of Directors involving the most responsible personnel?  



Leave a comment


  • No comments found