5 questions to ask your CEO about cybersecurity

By October 30, 2017 No Comments
By Michelle Droletstar AdvisorContributor, CSO | OCT 30, 2017 

Businesses will continue to face a ton of cyber threats, some of which will impact organizations severely enough to require security measures that will reach far beyond compliance. A Ponemon Institute study showed that the average committed record cost approximately $194 per record. Loss of business due to cyber breaches were estimated to be approximately $3 million. 

As you can see, it's important to make sure that the risk of cyber breaches is taken seriously. 

Compliance standards will enable your organization to establish a solid baseline to deal with known risks, but this does nothing to address new and changing threats. Also, more sophisticated threats and vulnerabilities aren't always known or covered in compliance. You need to have a risk-based approach to this, so that your organization will have a more cost-effective and comprehensive management of these risks. 

To approach this problem in the best way possible, advisory organizations have been promoting a different approach. 

The National Institute of Standards and Technology (NIST) and the US government have both issued some updated guidelines. While both involve recommendations to business organizations to make a shift towards real-time assessments and continuous monitoring of cyber risks, let's consider what Homeland Security says are the five key questions to ask your CEO. 

  1. How specifically is the executive body of leaders kept up to date on the current level of cyber risks and impact to the business?
  2. What is currently the level and impact of cyber risks to the business? What key plans or strategies exist to deal with risks that have been identified?
  3. How specifically is our current cybersecurity program applying industry standards and best practices?
  4. Throughout the course of a week, how many and what types of incidents are detected within the company? What standard threshold is used to alert the executive body of leaders?
  5. Just how thorough is our cyber incident response plan? How many times a week or a month is it tested?

As you can see, these questions all lead you to a risk-based approach. With this approach, you're not just adhering to compliance standards. You're using a comprehensive approach that leverages best practices and industry standards to identify possible problems, along with processes in place to keep everyone informed. This will enable you to increase the chances of a fast and timely response to possible cybersecurity threats. It will also increase the chance of a quick and easy recovery when such an event should occur. 

Time is crucial in this matter. Early Response actions can decrease the amount of negative impact to your organization and even possibly eliminate it altogether. They key to this is planning. This is more than just having a checklist in place and then going down the list, checking off each task. It will involve continuous comprehensive, risk-based preparation in conjunction with your business leadership, public affairs, general counsel, system operators, continuity planners, CEO and your Chief Security Officers.

Like this newsletter, want to get more? Sign up here.

Leave a Reply