Determine how much of your organization’s operations are dependent on IT. Consider how much your organization relies on information technology to conduct business and make it a part of your culture to plan for contingencies in the event of a cyber incident. Identify and prioritize your organization’s critical assets and the associated impacts to operations if an incident were to occur. Ask the questions that are necessary to understand your security planning, operations, and security-related goals. Develop an understanding of how long it would take to restore normal operations. Resist the “it can’t happen here” pattern of thinking. Instead, focus cyber risk discussions on “what-if” scenarios and develop an incident response plan to prepare for various cyber events and scenarios.

Resources for Taking Action Resources for Taking Action National Association of Corporate Directors: The NACD Director’s Handbook on Cyber-Risk Oversight is built around five core principles that are applicable to board members of public companies, private companies, and nonprofit organizations of all sizes and in every industry sector.

National Institute of Standards and Technology (NIST) Cybersecurity Framework: Created through collaboration between industry and government, the voluntary framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure, and helps owners and operators of critical infrastructure manage cybersecurity-related risks.

CISA Security Tip - Questions Every CEO Should Ask About Cyber Risks: It provides a primer on basic questions that CEOs of all businesses should ask themselves and their employees to ensure better cybersecurity preparedness and resilience.