Cybersecurity Issues Boards Must Address

The recent regulatory guidelines, viz RBI Master Directions of Nov 2023 and SEBI Cybersecurity and Cyber Resilience Framework (CSCRF) of Aug 2024 lay added importance to cyber resilience, business continuity and disaster recovery, incident response and recovery from cyber incidents. Boards are being increasingly attentive and seeking deeper insights on the organizations' preparedness to respond to and recover from cyber incidents. Being part of the Boards of regulated entities, I saw this quarter's IT Strategy and Technology Committee meetings, as well as the Board meetings delve deep and enquiring with the security and technology leadership and sometimes, directly from the MD/CEO, on : 1. Cyber incidents reported, their impact and root-cause assessments. Note : for the organizations, these were mostly hits or false positives. 2. Resilience scores, with Q-o-Q and Y-o-Y comparatives 3. Business Continuity Drills and results 4. Disaster Recovery exercises and results 5. Health check report on the primary as well as the recovery sites, including cloud DR assessments 6. Cyber / technology risk assessments 7. Compliance and reporting (technology) 8. Ongoing governance and improvement around the Cyber Crisis Management Plan (or similar plan, by whatever nomenclature it's defined) 9. Adequacy of technology & security resourcing and training 10. Data protection, with special emphasis on vendor / third party access to critical data & resources and controls around the same The above were some of the top discussion points, but not the only ones. As Boards are made more and more involved and responsible over governance of the organizations' cyber security, resilience, technology governance and risk assurance, Board members will engage more regularly on discussions about cyber risks, inquire of the management their capacity-capability-readiness to respond to and recover effectively from cyber incidents. And above all, the Board would like to ensure compliance to all the relevant regulatory provisions, including on technology and #cybersecurity. To all Technology and Security leaders - the message is very clear, the regulators and the Boards would like to see much more than mere tick mark exercise, specially if you're a regulated entity. - read through each clause in the directions & circulars from regulators - assess thoroughly your current status, including process, operations, technology architecture, procedures, documentation et all - perform risk assessment - technology and operations, over each part of your business - conduct data flow analysis, ascertain your data protection strategy - analyze your third party / vendor connections at all business touchpoints Once you analyze your current state, compare with the requirements given by regulatory directions. Then, step-by-step, put in the measures, updates, upgrades. These are critical steps and require expert acumen - take help from external experts, as required. #technologygovernance

Every time I host a session on Cybersecurity, it still never fails to amaze me and learn new things. This time, here's what I learnt. Cybersecurity is now a war of proxies. So many actors, each with different motives, make it extremely difficult attribute and manage. Yet, it's precisely because of this, Cybersecurity is not a tech problem. It’s a leadership one. QED just wrapped up an intense, no-holds-barred leadership session co-hosted with our friends from Ensign InfoSecurity to explore “Leadership in the Age of Cyber Risks and Opportunities.” Instead of just another tech talk, we made it a strategic dialogue at the Board-level. So here are my key takeaways... I did say I'm learning, right? 😉 1. When sh*t happens, who decides? Clear ownership is critical when a breach happens. If everyone’s responsible, no one is. 2. Assume you’re already breached. Incident response plans are 3-parters what should cover before, during and after a breach/attack. 3. Boards must prioritise the top 3 cyber risks. Not everything can be defended equally—focus on protecting your critical assets and ask how can you recover... if at all? 4. Metrics that matter. Boards should ask the right questions, not just more questions. Assess resilience with clear indicators. Watch out for vanity metrics that feel good, but does absolutely... nothing! 😅 5. Cyber hygiene is culture, not compliance. Regular simulations. Employee training. Strong passwords. Make it a daily habit and not something tedious nor optional. Ensign also shared their 2025 Threat Report which focuses more of the situation across APAC rather than elsewhere. Top three points: – Ransomware is still king – GenAI poses new challenges/complexities – Geopolitical tensions are reshaping the attack surface A huge thank you to Charles Ng and the great team at Ensign for the comprehensive deep dive and to all the leaders who shared, questioned, and connected with the purpose of being safer and better guarded together. Special thanks to our amazing panelists Lily Low, Audrey Ong, and Charles + our wonderful QED Fellow and moderator Ramakrishna Purushotaman for cutting through the noise. Your various vantage points help us all see a more complete picture of the challenges! 🙏🏼 Here's something for you to ponder: 📣 If you're a Board Director, but haven’t discussed cyber in the last 90 days, it’s overdue. Do you know what are the right questions to ask your management? 🤔

Yesterday, I read National Cyber Director Sean Cairncross's remarks that the biggest threat to U.S. critical infrastructure right now is the access and leverage China has already built quietly inside the systems that power our daily life. Intelligence agencies have warned about this extensive campaign. Chinese hackers have placed tools that let them monitor and, if needed, disrupt core networks for power, water, and communications. Three things that I would think about as board and leadership: 1: Learn, train on AI to meet the velocity of the adversaries. I believe that disruptions to fundamental infrastructure and services would have severe business consequences, and the only way to realistically keep pace with these threats is by security teams deploying and training on AI-powered security solutions to help meet the scale and volume of today's attacks. AI can surface suspicious signals, automate routine response, and help analysts catch intrusions people miss. Start training your security teams to use AI to meet at eye level with those who would harm the business. 2: Watch supply chains, those already inside your networks. I think boards and CEOs are underestimating how quickly offensive AI tooling can weaponize a single third-party connection, and the idea that suppliers and partners are already a part of their effective network perimeter. Things you could discuss with security leadership focus on third-party and supply chain threats: - How would our systems handle a sustained network outage? - Do partners and vendors know how their networks connect to ours? - How do our vendors handle their own readiness? - Could they isolate attacks if needed?  3: We need policies that keep pace with today's threats. I also appreciate how Cairncross pressed Congress to renew the Cybersecurity Information Sharing Act. The lapse has added to the complexity security leaders face in managing the volume of threats they face every day. More from CyberScoop and Tim Starks: https://lnkd.in/d-fxejBb Would love to hear how others in the community are thinking about these threats.

October is National Cyber Security Awareness Month in India. It is not a formality. It is a call for every boardroom to wake up. Cyber risk is no longer an IT issue. It is a governance issue. Boards that treat cybersecurity as a compliance checkbox will face the next breach as a headline. → A single attack can erase years of brand equity. → A weak policy can leak millions of customer records. → A slow response can crash market confidence overnight. John Chambers, former Cisco CEO, once said, “There are two types of companies: those that have been hacked, and those who don’t yet know they’ve been hacked.” That reality demands board fluency in how automation, AI, and digital systems shape risk. Not everyone on the board needs to code. But every director must understand how AI reshapes decision-making, data exposure, and resilience. Mary Barra, CEO of General Motors, said, “The pace of technological change is faster than boardroom awareness.” That gap is dangerous. Automation changes how value is created. It also changes how damage spreads. Good governance now means asking sharper questions: → What systems rely on AI, and who monitors them? → How are cyber risks reported at the board level? → Do we have a tested incident response playbook? Cybersecurity is not a department. It is a discipline of leadership. Boards that embrace AI fluency and digital oversight will lead with confidence instead of fear. The rest will learn the hard way. #Corporategovernance #Independentdirectors #Cybersecurity #Upskilling

7 Cybersecurity Questions That Could Save Your Startup (Ask These in Your Next Leadership Meeting) Most founders think cybersecurity is an IT problem. It's not—it's a business survival issue. 1. Do we have an incident response plan? → A tested, practiced protocol everyone knows → Clear roles defined for when (not if) an attack happens 2. Do we have a ransomware playbook? → Step-by-step actions for the first 24 hours → Pre-approved external vendors to call immediately 3. Are those plans practiced regularly? → Quarterly tabletop exercises minimum → Include board members and key stakeholders 4. Is the board prepared to make ransom decisions? → Legal frameworks understood in advance → Decision criteria established before emotions run high 5. Do we have sufficient cyber insurance? → Coverage aligned with actual business risks → Policy terms reviewed annually as business grows 6. Which external vendors support incident response? → Pre-vetted forensic experts on retainer → Legal counsel specialising in cyber incidents 7. How are we managing supply chain risk? → Third-party security assessments completed → Vendor cyber insurance requirements verified Unfortunately, if your team can't answer all seven questions confidently (or are starting to create a plan), you're operating with significant blind spots. Cybersecurity isn't just about preventing attacks—it's about business continuity when prevention fails. Which question revealed your biggest gap? ♻️ Found this helpful? Repost to share with your network.  ⚡ Want more content like this? Hit follow Maya Moufarek.

𝗡𝗖𝗦𝗖 𝗔𝗻𝗻𝘂𝗮𝗹 𝗥𝗲𝘃𝗶𝗲𝘄 𝟮𝟬𝟮𝟱 The National Cyber Security Centre have released its Annual Review, and the message is clear: cyber risk is now a boardroom priority, not just an IT issue. This year’s review reveals a 50% increase in highly significant cyber incidents, with attacks disrupting everything from supply chains to public services. The cost of inaction is rising - financial losses, reputational damage, and regulatory scrutiny are now the norm after a breach. 𝗞𝗲𝘆 𝗵𝗶𝗴𝗵𝗹𝗶𝗴𝗵𝘁𝘀 𝗳𝗿𝗼𝗺 𝘁𝗼𝗱𝗮𝘆’𝘀 𝗽𝘂𝗯𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻: • Cyber attacks are impacting every sector, from SMEs to critical national infrastructure. • Ransomware remains a top threat, with attackers targeting operational downtime and sensitive data. • Leadership matters: cyber resilience must be driven from the top and embedded into strategy, culture, and operational planning. • The NCSC is urging all organisations to act now, don’t wait for the breach. 𝗣𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹 𝘀𝘁𝗲𝗽𝘀: • Make cyber risk a standing board agenda item. • Invest in foundational controls like Cyber Essentials. • Use free NCSC resources such as the Cyber Assessment Framework (CAF) and Early Warning services. • Build a positive cyber security culture - prevention is always better than cure. As the NCSC says: “It’s time to act. Don’t wait for the breach.”

“Cybersecurity isn’t failing because of tech, it’s failing because of leadership.” Last year, my team and I were called in to support a company after a major ransomware incident. The tech stack looked strong on paper: – EDR across endpoints – 24/7 SOC monitoring – Regular red team assessments But within the first hour of the incident briefing, the CFO said something that stuck: “We had the best tools. Why did everything still go down?” And that’s when it became clear— They had tools. They had dashboards. But they didn’t have the leadership structure to act decisively when it mattered. 🚫 No executive-level crisis playbook 🚫 No shared understanding of critical business systems 🚫 No communication bridge between security and the board Infosec spoke in threat vectors. The board needed answers in financial and reputational impact. Two different conversations. 📊 PwC’s 2024 Global Digital Trust Insights found: 74% of executives say their security leaders struggle to connect cyber risk to business goals. That’s the gap. Not lack of talent. Not lack of budget. But lack of alignment at the top. So how do we fix this? Here’s what security leaders can do right now to build better alignment with the board: ✅ Translate threats into impact. Don’t say “log4j vulnerability” — say “potential $3.2M outage risk.” ✅ Map risk to operations. Identify which 3–5 assets the business cannot afford to lose. ✅ Create a board-ready playbook. Define roles, escalation paths, and executive impact scenarios. ✅ Make metrics meaningful. Don’t show patching rates — show how exposure has dropped over time. ✅ Embed cyber in decision-making. Join strategic planning, not just audit reviews. Cybersecurity is no longer a technical function. It’s a leadership mandate. And the companies that thrive will be the ones where leadership owns the risk, not just the report. #CyberLeadership #CyberResilience #BoardroomSecurity #MCS #SecurityThatDelivers #BusinessAlignment #DigitalTrust #CyberForGrowth

When preparing for a Board meeting as a CISO, it’s crucial to focus on questions that bridge cybersecurity with business priorities and risk management. Here are key areas you should be ready to discuss: 1. Alignment with Business Goals: You could be asked, “How is our cybersecurity strategy aligned with the company’s broader goals?” This question invites you to explain how your initiatives support growth, innovation, or digital transformation, showing cybersecurity as an enabler, not just a cost center. 2. Risk Landscape: Be prepared to answer, “What are our top cyber risks, and how are we mitigating them?” Boards want clarity on the biggest threats, how they might impact the business, and the effectiveness of your defenses. 3. Business Impact: Expect questions like, “What’s the potential impact of a breach on our revenue and reputation?” Here, you should be able to highlight how your security initiatives support the business strategy. 4. Incident Response Planning: They may ask, “How prepared are we for a cyber incident, and how quickly can we recover?” You should have insights into your incident response plan, any recent tests or simulations, and your team’s readiness. 5. Compliance and Regulatory Requirements: Be ready to address, “Are we meeting all compliance and regulatory requirements?” This includes explaining how you’re keeping the company aligned with evolving data privacy and cybersecurity regulations. 6. Return On Security Investment (ROSI): They might ask, “Are we investing enough in cybersecurity, and are we seeing returns?” Be prepared to show how your budget aligns with industry benchmarks and the tangible outcomes of security spending. It may be good to also have a PowerBI dashboard that shows the mapping between risk, controls, and budget. It's a handy tool. In my previous jobs, I was asked to develop such a tool with a slider that controls the budget and accordingly reflects the change in risk. 7. Third-Party Risks: You could be asked, “How are we managing risks from our vendors and partners?” This is especially relevant if your supply chain is critical. Describe how you assess and monitor third-party risks. 8. Employee Awareness and Culture: Boards are increasingly interested in culture, so expect, “How are we fostering a security-minded culture?” or “What training and awareness programs do we have in place?” 9. Evolving Threat Landscape: Prepare for “How is the threat landscape changing, and are we adapting?” Being able to speak to new trends or emerging threats shows the board that you’re forward-looking. 10. Metrics and Reporting: They might ask, “What metrics are we using to measure cybersecurity effectiveness?” Boards are increasingly data-driven, so they’ll want to understand how you’re tracking performance, like incident response times, vulnerability remediation rates, or risk reduction over time. This question may not be asked depending on how tech savvy your board is.

Boards Need Cybersecurity Experts—But Not Just Any Kind Boards love to say cybersecurity is a priority—until they’re dealing with a breach, a lawsuit, or a regulatory nightmare. Then suddenly, everyone wants to know why no one saw it coming. Here’s the problem: most boards (and C-Suites) focus on cybersecurity as a technical issue—firewalls, endpoint protection, compliance checklists. But the biggest threats today aren’t just about technology. They’re about people. Humans. Attackers know that hacking a human is often easier than hacking a system. That’s why threats are evolving beyond malware and zero-days to: 🔹 Insider threats—both malicious and accidental 🔹 Social engineering—phishing, business email compromise, deepfakes 🔹 AI-powered deception—fake executives, fraudulent invoices, and manipulated voices 🔹 Exploitation of trusted insiders—employees tricked, coerced, or incentivized into becoming unwitting accomplices And yet… most boards don’t have a single cybersecurity professional with expertise in human risk management. Think about it: companies spend millions on security tools but ignore the fact that their employees—CEOs included—are being targeted every. single. day. Boards need to rethink their approach to cyber risk. That means: ✅ Bringing cybersecurity experts onto the board—not just CISOs reporting to it (and if you do this let’s make it better than a one slide allowance once a quarter, eh) ✅ Prioritizing human risk management—understanding insider threats, manipulation tactics, and behavioral vulnerabilities ✅ Making cybersecurity a business conversation, not just an IT issue Cyber threats are no longer just technical—they are psychological, social, and deeply human. The real question is: does your board understand that? #board #cybersecurity #humanrisk #riskmitigation #csuite