As someone with deep experience in advising companies on how best to de-risk the enterprise, I wanted to find out what advice he would offer to boards and to management teams. For instance, he notes that his top five recommendations for boards to consider in their oversight roles are (1) Double down, or triple down, on the basics; (2) establish a cybersecurity risk policy with clear risk appetite statements; (3) ask for an effective risk report with qualitative assessments and quantitative analytics; (4) provide credible challenge and oversight of the cybersecurity program; and (5) focus on people and culture. He provides thoughts on each of these, and many other suggestions in this interview.
