Board technology secures and manages some of the most confidential information within a business. If you’re introducing new technology to your board (such as a digital board portal), you need to be confident in its systems and security. Here are my top 10 questions to ask a technology provider:
1. What is their investment in cyber-security research and development? Cybersecurity threats are continually evolving. A technology provider should be able to demonstrate R&D capabilities that ensure it stays ahead of emerging threats.
2. How transparent are their security processes? The provider should be able to explain clearly its physical security safeguards (such as protection of the servers, routers and other equipment), screening processes for new hires, internal controls, system monitoring (if they were hacked, how would they know?), and any history of security breaches (and their resolution).
3. Does the technology meet industry standards? As third-party handlers of confidential information, any board technology should meet security standards comparable to those of the most demanding IT departments across a number of industries. Look at accreditations such as annual SOC/SSAE 16 audits (covering how providers report on their internal controls) and ISO 27001 certification for the security of their software.
4. Does it allow outside security testing? Solutions with high security standards will conduct frequent vulnerability scans and other security testing in order to keep up with evolving threats. They should also allow you to conduct your own security and penetration testing.
5. Does the solution rely on third-party platforms or software? Solutions built on commercially available platforms, or that use plugins, might come with their own security vulnerabilities, which are attractive to hackers precisely because those platforms are so widespread.
6. What physical security does the provider employ? Digital information is stored on physical servers. Those servers need to be protected in facilities with on-site guards, CCTV and multiple layers of perimeter security. The servers themselves should be housed in secured cages with each hosted organisation’s data logically segregated and encrypted. Their cryptographic keys should be protected by hardened, tamper-resistant devices.
7. What degree of data redundancy is provided? Data should be backed up, and hosting in primary data centres should fail over to disaster recovery data centres, so that an event impacting one location will not affect the secondary location. This should be supported with real-time intelligence on data performance so an issue can be spotted quickly.
8. Can you control user access? This is particularly true for board portals, where users (board members) are likely to be spread around the world and travelling frequently. You might need to disable browser access, or prevent access from unknown devices.
9. Can you customise security? Every security solution involves a trade-off between convenience and security. As a result, one size definitely does not fit all organisations. You should be able to tailor security measures to your specific needs.
10. What level of customer support will you get? Even the best security needs human assistance to ensure that any issues are dealt with promptly.