CYBER RISK: THE BOARDROOM EDITION
This week alone: Poland foiled a cyberattack on its nuclear research centre. Portugal warned of foreign state-backed hackers targeting military messaging accounts. Iran-linked actors claimed the Stryker breach. Russia-backed groups are inside Signal and WhatsApp accounts of officials and journalists. And US banks went on high alert as the Iran conflict escalates.
Most boards will get a quarterly cyber update in April. Most of those updates will be dense with technical metrics and light on the questions that actually matter. Here are three questions that will change the quality of that conversation — and your organization’s exposure.
Question 1: Are We Watching the Exits?
Modern ransomware isn’t just about encryption anymore. Attackers exfiltrate your data first — quietly, over days or weeks — then drop the ransom note. By the time you know you’ve been hit, the data is already gone.
The tell is large, unusual outbound data transfers. Not the ransomware itself. The movement that happens before it.
Most organizations monitor what comes in. Far fewer monitor what goes out. If your security team can’t tell you in real time when an unusually large volume of data left your environment — and to where — you have a blind spot that attackers are actively exploiting.
ASK YOUR CISO:
Do we have real-time monitoring on large outbound data transfers? What’s the threshold that triggers an alert, who gets notified, and what’s the documented response?
Question 2: Why Are We Still Talking to Countries We Don’t Do Business With?
If your organization has zero legitimate business activity in Iran, Russia, or North Korea — why is network traffic to and from those countries permitted at all?
Geo-blocking isn’t a perfect control. Sophisticated nation-state actors use proxies, VPNs, and compromised infrastructure in third-party countries to mask their origin. But geo-blocking at the egress layer eliminates noise, shrinks your attack surface, and forces adversaries to work harder. It’s a low-cost, high-value control that too many organizations skip because nobody made a decision.
ASK YOUR CISO:
Have we implemented egress filtering to block network traffic to and from nation-states we have no business relationship with? If not, what’s the documented rationale for leaving that door open?
The burden of proof should be on keeping traffic open — not on closing it.
Question 3: Are We In the Room Where Intel Is Shared?- Threat Bulletins.
There is threat intelligence circulating right now that will never hit the news cycle. It’s being shared between organizations in the same sector — banks, hospitals, manufacturers, energy companies — through Information Sharing and Analysis Centers, or ISACs.
ISACs exist for nearly every major industry vertical. Members share early indicators of compromise, attack patterns, and threat actor behavior before those threats become public. When Iran-linked actors targeted financial institutions this week, ISAC members in the financial sector had intelligence on the threat vector before it made headlines.
Paying dues to an ISAC and actually operationalizing their intelligence are two very different things.
Many organizations join their sector ISAC and stop there. The membership box gets checked. The threat feeds don’t get operationalized. Nobody reads the bulletins. The intel sits in an inbox.
ASK YOUR CISO:
Are we active members of our sector ISAC? Are we receiving threat intelligence feeds and actually operationalizing them — or are we paying dues and calling it coverage?
The Next Board Meeting
The April board meeting will happen whether your organization is prepared or not. The questions above aren’t designed to embarrass your CISO — they’re designed to cut through the noise and surface the decisions that actually reduce your exposure.
Three nation-state actors are actively operating against US and allied targets simultaneously. That’s not a normal threat environment. Your board questions shouldn’t be normal either.
Ask better questions. Get better answers. Make better decisions.
Want a framework for every cyber question your board should be asking?
The Cyber Oversight Card covers 48 governance topics — built for directors who need to ask the right questions without getting lost in the technical weeds.
Get the Cyber Oversight Card at Stasiak.com
