Press Release


 Key Cybersecurity Questions Boards Need to Address 

New ISACA Report Released Today Calls for New Approaches to Cybersecurity

Rolling Meadows, IL, USA (20 August 2015)—Cyberprotection is no longer a technical issue; it is a business issue requiring board attention, and cybersecurity needs to be approached in a holistic manner, states a new report from global IT association ISACA. The guidance, titled “The Cyberresilient Enterprise: What the Board of Directors Needs to Ask,” was released today.

The new paper describes the need for governance over critical cyber events to help reduce the impact of cyber incidents and restore normal business. Included in the in-depth guidance are 19 key questions board members should ask to create a resilient enterprise that connects protection and recovery to the goals of the organization, and implements programs for the sustainability of essential services.

“Today’s attacks on enterprises are persistent and advanced, and no enterprise is 100% secure. It is no longer sufficient to only focus on prevention and detection,” said Ron Hale, Ph.D., CISM, chief knowledge officer of ISACA. “As the paper points out, board members need to evaluate the operational risk inherent in today’s digital business and direct management to ensure that the enterprise is more than just protected—it is resilient. This guide offers key questions boards should be asking to become a resilient enterprise and continue its mission of value creation.”

According to the paper, to be cyberresilient the enterprise must understand and prioritize stakeholder needs, identify the core business processes needed to meet the mission and goals of the enterprise, and understand the potential impact a cyberevent will have on the business. Key questions boards should ask include:

  • Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services?
  • Is the board routinely informed about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand?
  • To what extent have essential services and functions been identified and programs implemented to provide for their resilience in the event of a disruption or cyberincident?

The paper also spells out ways enterprises can maximize business continuity and sustainability by:

  • Responding when an incident is detected.
  • Having an integrated capability that connects protection with detection, response, recovery the continuance of core services and functions.

“Incident response is crisis management,” said Hale. “Enterprises need to consider cybersecurity from this standpoint and be part of an integrated and holistic, enterprisewide approach.”

Download the free white paper at



ISACA ( helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to govern enterprise technology.


LinkedIn: ISACA (Official),




Joanne Duffer, +1.847.660.5564,