Cybersecurity Questions Every CEO Should Ask
As technology advances, cyber-attacks become more sophisticated and complex.
Cyber threats affect companies of all sizes, necessitating the participation and attention of CEOs and other senior executives. To assist businesses in understanding their risks and preparing for cyber threats, CEOs should engage their leadership in critical cybersecurity risk management themes and implement cybersecurity best practices. There are numerous best practices outlined in publications that have been compiled from incident response operations and cyber risk management lessons learned.
Concerning potential cybersecurity threats, CEOs should consider the following:
- How might cybersecurity risks affect my company’s various activities, such as supply chain, public relations, finance, and human resources?
- What critical data (trade secrets, customer data, research, personally identifiable information) could be lost?
- How can my company build long-term resiliency to mitigate cybersecurity risks?
- Does my company participate in any cyber-threat data exchange? With whom does my company share this information?
- What kind of information-sharing techniques can my company use to foster community among the various cybersecurity organizations?
What can CEOs do to safeguard themselves against cyber-threats?
The questions below will help CEOs guide discussions with management about their cybersecurity risk:
- What is the standard for informing senior management about cyber-threats?
- What is the current level of cybersecurity risk in our organization?
- What are the possible business ramifications of our current level of cybersecurity?
- What is our strategy for dealing with the identified threats?
- Is cybersecurity training available for our employees?
- What safeguards are in place to protect against insider threats?
- How does our cybersecurity program adhere to industry standards and best practices?
- Are our cybersecurity program’s metrics measurable and meaningful?
- How frequently do we carry out our plans?
Best Practices for Organizational Cybersecurity
The cybersecurity best practices listed below can assist businesses in managing cybersecurity risks.
- Discuss cybersecurity risk management with the CEO and leadership team of the company.
- A comprehensive cybersecurity risk plan necessitates the involvement of the CEO and senior company leadership in defining an organization’s risk strategy and levels of acceptable risk.
The CEO of the company, along with the chief information security officer, chief information officer, and the entire leadership team, should ensure that they understand how their divisions affect the overall cyber risk of the company. Furthermore, regular discussions about these risk decisions with the company’s board of directors ensure that all company decision makers are aware of them.
Executives should create policies from the top down to ensure that everyone has the authority to carry out the tasks associated with their role in reducing cybersecurity risk. A top-down policy defines roles and limits power struggles, which can jeopardize IT security.
- Rather than relying solely on compliance standards or certifications, implement industry standards and best practices.
- Implement industry best practices and benchmarks to reduce cybersecurity risks (e.g., follow best practices from organizations like the Center for Internet Security). Organizations should tailor best practices to ensure that they are applicable to their specific use cases.
- Adhere to consistent best practices to establish an organizational baseline of expected enterprise network behavior. Instead of expending resources to “put out fires,” this enables organizations to combat cybersecurity threats in a proactive manner.
- Compliance standards and regulations (such as the Federal Information Security Modernization Act) provide guidance on minimum requirements; however, businesses can do more to go above and beyond the minimums.
- Assess and manage cybersecurity risks specific to your organization.
- Identify your organization’s critical assets and the consequences of cybersecurity threats to those assets to gain a better understanding of your organization’s specific risk exposure—whether financial, competitive, reputational, or regulatory. The outcomes of risk assessments are critical inputs in identifying and prioritizing specific protective measures, allocating resources, informing long-term investments, and developing cybersecurity policies and strategies.
- In order to understand your security planning, operations, and security-related goals, ask the necessary questions. For example, instead of inquiring about specific security controls, safeguards, and countermeasures, it is better to focus on the goals your organization will achieve by implementing overall security controls.
- Focus cyber enterprise risk discussions on “what-if” scenarios and avoid the “it can’t happen here” mentality.
- As a corporate practice, develop a repeatable process for cross-training employees in risk and incident management. There are only a few employees with critical subject matter expertise.
- Ensure that cybersecurity risk metrics are relevant and measurable.
- The time it takes an organization to patch a critical vulnerability across the enterprise is an example of a useful metric. In this case, reducing the number of days it takes to patch a vulnerability reduces the risk to the organization.
- A less useful metric is the number of alerts received by a Security Operations Center (SOC) in a week. The number of alerts received by a SOC contains far too many variables for this figure to be consistently relevant.
- Create and put into action cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
- Organizations must test their incident response plans across the entire organization, not just in the IT environment. Each department within the organization should be prepared to handle both minor and major cybersecurity incidents. It is possible to prevent an incident from escalating by testing incident response plans and procedures.
- Incident response plans should specify when an incident should be escalated to the next level of command. By regularly practicing incident response plans, an organization can respond to incidents quickly and with minimal impact.
- Maintain a high-quality workforce.
- Cybersecurity tools are only as good as the people who review the results of the tools. It is also critical to have personnel who can identify the appropriate tools for your organization. Learning a complex organization’s enterprise network can take a significant amount of time, making retaining skilled personnel just as important as acquiring them. There is no one-size-fits-all solution for preventing all cybersecurity threats, but knowledgeable IT personnel are critical to lowering cybersecurity risks.
- New cybersecurity threats emerge on a regular basis. Personnel tasked with detecting cybersecurity threats require ongoing training. Training increases the likelihood of personnel detecting and responding to cybersecurity threats in accordance with industry best practices.
- Ascertain that adequate planning is in place to account for the additional workload associated with mitigating cybersecurity risks.
- Cybersecurity is becoming a formal discipline with a task orientation that necessitates specific alignments to key knowledge, skills, and abilities. The National Initiative for Cybersecurity Careers and Studies (NICCS) is a good place to start when it comes to workforce planning.
- Keep an eye on the situation in terms of cybersecurity threats.
- Subscribe to receive notifications about new cybersecurity threats (e.g., National Cyber Awareness System products, MITRE Common Vulnerability Exposures, CERT Coordination Center Vulnerability Notes). Create a summary of the most recent cybersecurity threats your organization has faced (e.g., phishing emails, malware, ransomware) for distribution to personnel outside of your IT department to help reinforce their role in reducing cybersecurity risk.
- Investigate the available communities of interest. Sector-specific Information Sharing and Analysis Centers, the Homeland Information Sharing Network, and other government and intelligence programs may fall into this category.