Ten Key Questions CEOs Should Ask About Cybersecurity Readiness
Learn how a CEO can support their company's cybersecurity in Data Protection 101, our series on the fundamentals of information security.
Some people think that cybersecurity is aimed only at making your system impregnable to hacking attacks, and nothing more. In reality, no system is completely safe. This is the reason why cybersecurity should also be focused on managing risks and keeping these at an acceptable level.
Planning for cyberattacks is a good way to ensure that you can prevent most breaches and respond more swiftly when they do happen. As CEO, what are the questions you should ask? Here’s a look at 10 key questions you should be asking about your company’s cybersecurity readiness.
1. What risk management framework are you using? Is this the right framework for you?
There are several risk management frameworks out there that you can use to benchmark and assess your risk profile and cybersecurity approaches.
For instance, you can use the National Institute of Standards and Technology's Cybersecurity Framework. This is a set of best practices that allows you to detect, respond to, and prevent cyberattacks. It can also help you recover after a cyberattack.
Other options include the United States Computer Emergency Readiness Team's Cybersecurity Framework as well as guidelines from different organizations such as the Cloud Security Alliance, the Open Web Application Security Project, ISACA (which established COBIT), and the Federal Financial Institutions Examination Council.
These frameworks should function as a roadmap that helps you implement cybersecurity measures without missing anything. They can help you work towards compliance as well.
2. What are you doing now to prevent cyberattacks?
To answer this question, every business needs to start by evaluating their security baseline, or the protections, policies, and processes that they are currently leveraging in order to protect themselves from cyberattacks.
This will help you identify what you still need to do and what controls are missing. You can also implement a defense in depth strategy that uses multiple layers of defense throughout your IT system. This would include overlapping security processes, such as using an intrusion prevention system, a firewall, and an anti-virus software.
3. How do you involve management in the cybersecurity picture?
C-suite executives and other managers need to be involved with cybersecurity, even if they do not belong to the IT department. Simply informing executive management of your overarching cybersecurity practices once a year is no longer enough.
4. How do you include cybersecurity risks in your enterprise risk management? Should they be part of your enterprise risk management at all?
Every business should have enterprise risk management, and ideally, cybersecurity should be part of that process. Cybersecurity should be measured the same way that other business risks are measured.
Managing cybersecurity risk should not be a question of returns on investment. Instead, you should be asking yourself what you risk losing if cybersecurity measures are not implemented properly. For example, Hilton was fined $700k for a data breach, but under the new GDPR compliance laws, that fine could exceed a whopping $420 million – and that doesn’t account for reputation damage and other costs. In other words, you can’t afford to skimp on cybersecurity.
5. How do you handle cyber risks coming from vendors and other third parties?
When you deal with an outside company, you must think about two things:
- What information or data are you sending them, and how sensitive is it?
- What kind of access do you give vendors?
- When do you call law enforcement?
- How will you inform your users and the public in case of a breach?
- How will you limit the damage in the event of a cyberattack?
- Who will be responsible for what response?
- What are the roles that need to be assigned?
A good way to lower your security risks when dealing with third parties is by working only with vendors that have the right security certifications, such as ISO27001 or SOC2 certifications./p>
6. Are your employees trained to have a cybersecurity mindset?
Most data breaches are caused by people. A breach could be malicious in origin, like a disgruntled employee stealing files, or it could be unintentional, like an employee who left his or her phone at the local bar.
Spend time educating your employees on the different cybersecurity risks. For instance, you should train them on how to recognize phishing e-mails and other criminal communications so that they can avoid falling victim to an attack.
You should also communicate the importance of security policies and why they are there in the first place. How many of your employees use their own devices at work, and how many of these devices are protected from unauthorized access?
7. How often do you test our cybersecurity incident response plans?
Your incident response plan should include all possible attack scenarios. Your plan should include the typical cyberattacks and a range of possible responses to each situation. Think about the following:
Because new threats can show up at any time, you should continually test and update your incident response plans.
8. How protected are you from new threats?
You should have a clear idea of how well your organization can protect itself when new vulnerabilities and exploits come up. Part of your cybersecurity efforts should include threat monitoring – being able to track cybersecurity threats as they emerge.
9. How exposed to risk are you?
Cyber security risk is usually defined in terms of exposure. How exposed are your company and its third-party service providers to the risk of attacks or breaches on your system? Aim to strike a balance between your risk appetite and your risk exposure, and act according to this balance. If you feel that you have more risk than what you are willing to face, then make sure that you have more cybersecurity risk measures in place.
10. Compared to other companies, how do you rank when it comes to cybersecurity preparedness?
Whether in real life or online, thieves are always looking for the easiest victims to target. If your competitors are more secure than you are, there is a good chance that you will be targeted first. On the other hand, if you put a stronger set of cybersecurity policies and processes in place, then your company will become a less attractive target.
It’s not enough to just prevent hackers from entering your system; you should also have technologies and processes in place to determine what has been stolen from you in the event of a data breach so that you can facilitate the appropriate response and recovery measures.
Is your company cybersecurity ready? As a CEO, you may not be intimately involved in the day-to-day details of your organization’s cybersecurity practices, but asking these 10 questions will ensure that you are in-the-know.