The role of the C-Suite executive is to make sure that the company is running smoothly and profitably. To do this, they need to be aware of all the risks their company faces – including the main cyber risks threatening organizations. This is why executives need to have a Chief Security Officer (CSO) on their team. This person can help answer questions about the company’s security posture and provide recommendations for improvement.
In this blog post, we will explore 5 critical questions CEOs should be asking their CSOs. These questions will help CEOs gain a better understanding of their company’s cybersecurity risks and what can be done to mitigate them.
1. Do we have a cyber resilience plan in place?
In the board room, “cybersecurity” and “resilience” are often used interchangeably. However, they are two very different concepts. Cybersecurity is about preventing attacks and protecting data, while resilience is about being able to recover from an attack quickly and effectively. A cyber resilience plan should be in place so that the company can continue to operate in the aftermath of a malicious cyberattack.
A good resilience plan includes the following:
An incident response plan
This should outline who needs to be notified in the event of an attack and what their roles are. It should also include contact information for key personnel, such as the CEO, CFO, and CSO.
A data backup and recovery plan
This should ensure that all critical data is backed up and can be recovered in the event of an attack. According to the National Cyber Security Alliance, 60% of companies that suffer a data loss go out of business within six months.
A business continuity plan
This should outline how the company will continue to operate in the event of a major cyber incident. A business continuity plan should include provisions for alternate forms of communication, such as email and phone if the primary methods are unavailable.
2. Are our security controls regularly tested?
There is no one-size-fits-all solution when it comes to security controls. The right mix of security controls will vary depending on the size and type of the company, as well as the industry it operates in. That said, there are five main categories of security controls that all companies should have in place:
Cyber access controls
Cybersecurity controls are mechanisms used to protect data and systems from unauthorized access. They can include firewalls, intrusion detection systems, and encryption, but also extend to user access controls, such as password policies and two-factor authentication. A penetration test can be used to assess the effectiveness of an organization’s cyber access controls.
Procedural controls are the policies and procedures that need to be in place for security controls to be effective. They cover topics such as incident response, data backup and recovery, and business continuity.
Technical controls are the hardware and software solutions used to protect data and systems. They can include firewalls, intrusion detection systems, and encryption, but also extend to user access controls, such as password policies and two-factor authentication.
Compliance controls are the policies and procedures that need to be in place for a company to meet its regulatory obligations. They can vary depending on the industry, but often include requirements for data security, incident response, and business continuity. In e-commerce, businesses must comply with the PCI-DSS security standards protecting cardholders’ data.
Physical access controls
Physical access controls are the mechanisms used to protect data and systems from unauthorized physical access. They can include security guards, CCTV systems, and security fences, but also extend to user access controls, such as badge readers and biometric scanners.
3. Is our remote workers’ environment secure?
Remote workers should have access to the same remote work security controls as those who are working in the office. This not only includes a VPN connection, an antivirus program, and a firewall but also more specific elements such as an intrusion detection system and user access control mechanisms. An intrusion detection system monitors the network for unusual activity and can alert the security team of a possible attack.
User access controls mechanisms, such as two-factor authentication, ensure that only authorized users can access company data and that they can only access the data they need to do their job. Cybersecurity best practices for remote work also go a long way in helping secure the teleworking infrastructure.
4. What is the biggest threat to data security?
An IBM/Ponemon Institute study indicates that 90% of data breaches are due to human error, such as clicking a link in a phishing email or using a weak password. To address this, companies need to have a strong cyber awareness program in place that trains employees on how to spot and avoid common security threats.
That being said, clicking a link in a phishing email can allow the most damaging attack to take place, which is known as a ransomware attack. In this type of attack, the attacker encrypts the victim’s data and demands a ransom to decrypt it. To protect against this type of attack, companies need to have backups of their data in place so that they can recover if their systems are compromised.
A ransomware readiness audit assessment of your systems can be very effective in preparing your organization against a ransomware attack.
5. Do we need cybersecurity insurance?
The answer to this question depends on the organization’s specific industry and business. Some industries, such as healthcare and finance, are subject to strict regulations that require companies to have cybersecurity insurance. Others, such as retail and manufacturing, are not subject to these same regulations.
However, given the cybersecurity insurance limitations, among which is the non-coverage of any losses due to an internal or phishing attack, implementing a robust security plan to protect your systems and data is the best insurance or protection your organization could ever get.
Depending on your sector and business, this list of critical questions could change and include other questions, or different questions, such as any of the following:
- What type of data do we collect?
- Where is our data stored?
- Who has access to our data?
- How do we protect our data from unauthorized access?
- What are our incident response procedures?
Any list of questions is meant to get you started on a board room conversation for best securing your data, reputation, and bottom line.
Companies with a strong cybersecurity plan in place are less likely to experience a data breach, so make sure to have a plan in place and keep it regularly updated.