The 5 security questions CEOs need to ask their CSOs and CIOs
As the volume, intensity and sophistication of cybersecurity threats continue to increase, CEOs are becoming more invested in how the business protects itself. Just as businesses realise the benefits of technologies, they must also now mitigate the risks associated with those technologies.
A successful cyberattack no longer simply creates a headache for the IT team. It can cause significant reputational and financial damage for the entire business. At the same time, the security culture of an organisation can be complex and pervades every element of a business.
It’s definitely not just an IT issue or a function of the security department. This makes it critical for CEOs to familiarise themselves with their organisations’ internet security policies and procedures, as they become increasingly accountable for any failures, as well as what tone they want to set in promoting a solid security culture.
For organisations to meet their full potential while mitigating risk, chief security officers (CSOs) and chief information officers (CIOs) have to answer more detailed security questions.
Here are five key questions to consider:
-
How is the business preparing to handle more serious and frequent threats?
The practices that have kept an organisation secure in the past are no longer enough to combat modern threats. Preventing incursions still needs to come first. However, cybercriminals are gaining access through the network perimeter in more sophisticated ways, so it’s crucial to have a system that also monitors outbound traffic to minimise the amount of damage caused to the internal environment if a breach does occur. This should also extend to the endpoint where advanced solutions are needed to prevent a successful cyberattack.
-
What processes does the business use to monitor cloud-based applications?
Organisations often rely on cloud services for team collaboration, so they need to develop strategies to minimise the associated data-loss risks. While collaboration is essential, it’s also important to monitor traffic and educate staff regarding the risks to minimise the chance of a breach.
-
How does the company protect data in the cloud?
Protecting the organisation’s data in the cloud requires a multi-faceted approach. When dealing with elastic, programmable cloud services, the only way to address security standard gaps is through automation and by adopting cloud-specific security tools and technologies.
-
What is the business doing to manage security across the Internet of Things (IoT)?
IoT devices are already entering the business environment. Organisations need to address this potential vulnerability now, or inevitably face security threats. The business needs to choose devices with maximum built-in security features, then take steps to increase security such as changing the factory-set passwords.
It’s also important to implement rules around what devices can be connected to the network for what purposes. Furthermore, organisations must invest in security technology that is application- and device-aware, and can control these devices to keep them secure.
-
What is the response plan in the event of a data breach?
Many cybersecurity experts now believe that it is no longer a matter of ‘if’ but ‘when’ you will be breached. The critical difference between organisations that will survive a data breach and those that won’t is the implementation of a cyber resilience strategy, which includes incident response planning and disaster recovery strategies to bounce back from a cyberattack with minimal business disruption. The CEO should also be aware of the laws governing the company’s duties to disclose a data breach.
There are likely to be specific areas of concern for organisations beyond these five key discussion points. IT security leaders must open a constant dialogue with CEOs to ensure the leadership team is aware of the cybersecurity risks facing the organisation, as well as how to address or mitigate these risks.
CEOs can’t dismiss IT security as someone else’s responsibility; they must work together with the CIOs and CSOs to keep the organisation safe.