Frequently Asked Questions

Axon Global has trained over 250 F500 Board Directors, Generals Counsel and Executive Leadership Team members in Cyber Enterprise Risk Management (ERM)

Here are the current Frequently Asked Questions by Board Members in "Cyber ERM Training for Directors"

Ready to get started? Contact us today for a quote!

Axon is always ready to take your questions. Let us know how we can help you today.

Top Quotes

These quotes are anonymized and fictionalized to protect the innocent.  Any resemblance to actual events is purely coincidental.  These are posted for awareness and

education purposes only, as they demonstrate some of the behaviors that can be modified by sound governance.

Top Lessons Learned

Directors who've survived a cyber breach scenario.

Their experience advises Directors to assume the following

There is no such thing as a cybersecurity, focus on risk management of liability vs breach prevention - its now all about resiliency.

Presume that cybersecurity risk and liability are better mitigated with Enterprise Risk Management and Governance than with technology: "what will you wish you had done yesterday, if a breach is discovered tomorrow?"

Presume that cybersecurity compromises invoke survival instincts, as in "Maslow's hierarchy of needs."  Expect unusual and sometimes desperate behavior as a breach or disclosable event develops.

Expect organizational behaviors that, when audited, violate D&O insurance coverage requirements, and/or disqualify cybersecurity insurance protection.

Expect that your organization is not fully informed about cyber compromises and that they are not going to tell you all you need to know.  This is true even in F500 companies.  Again, accountability processes are key and the "Tone at the Top" defines the culture.  For example, have an "anonymous hot-line or drop-box" where insiders or outsiders can report known compromises, breaches or tips that reveal exposures, without attribution.

Everyone is part of a critical infrastructure supply chain and if you don't think federal acquisition rules for cybersecurity standards impact you, think again.

Ransomware is much closer to succeeding in your environment than you might want to believe.

Policy can make or break your organization in a cybersecurity crisis.

When indicators of compromise prevail, assume you are compromised and begin "cleansing," segmenting networks, and reinforcing protection of crown jewels, before there is a breach.  Waiting for evidence of a compromise to re-allocate resources is a sure path to cyber compromise mis-management.

Cybersecurity insurance rarely covers the majority of costs in a cyber breach.

Knowing what questions to ask creates alignment of people, policies, and processes in the right direction.

Presume the general counsel is there to protect the company, not the individual board member.

Neither technology nor government will solve the cybersecurity problem, cyber enterprise risk management tools are the key to protecting reputation and valuation.

The company will eventually be compromised and breached, so practice what to do before it happens.

Presume that cyber risk, risk transfer, risk mitigation, risk reporting, and escalation are not defined for the company. Lead and get these defined.

Presume that the evidence of what your organization did/did not do, and what the organization should/should not have done, with respect to cyber security/compromises/breaches, already exists beyond company walls and are openly discoverable by other stakeholders.

Meeting compliance standards is no longer an acceptable standard for reasonable cybersecurity.  Directors will be held accountable for what they knew, and what they should have known.

Do not let IT "black-box" or mystify the cybersecurity risk for your company.  Keep asking the questions until you get satisfactory answers.   Are we at risk?  How do you know? How do you measure that?  Is that enough?  Has that been audited? By whom?  Can I trust it?  How do we know that?  Would it stand up to [fill in the blank]?

It's not the compromise or breach that causes most of the liability; it's the lack of governance and the potential unethical behavior surrounding the event that costs the most.

Ready to get started? Contact us today for a quote!

Axon is always ready to take your questions. Let us know how we can help you today.