The Five Questions CEOs Should Ask To Improve Security

Recently the New York Stock Exchange (NYSE) released a cybersecurity guide for public companies and succinctly captured 5 questions CEO’s should ask to improve security. I have reposted the questions here in addition to some thoughts and context as to the “so what” behind the answers to these questions. 

The Five Questions CEOs Should Ask To Improve Security

1: What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?

Risk is hard to quantify, but you have to try. The effort spent measuring risk can often reveal decisions narrowly made through the filter of budget pressures without the business explicitly accepting the risk resulting from those decisions. We’ve worked with organizations obsessed with management by headcount – don’t go over X number – without understanding the consequences of that broadly applied guidance.

CEO’s should explore and push their teams to quantify the maturity of processes and the number of people in place to support tool investments. More often than not organizations have more tools than can be effectively deployed and supported with the existing staff. The risk discussion has to go beyond tools and delve into the effectiveness of those tools in addressing risk.

Ironically, this is no different than the rest of the business.  Your Enterprise Resource Planning system, for example, doesn’t do anything without the people and processes to make it run effectively. Don’t let the security risk discussion start and stop with the products you have purchased.

2: How is our executive leadership informed about the current level and business impact of cyber risks to our company?

At a mature company, every other business enabling or supporting function has a set of metrics and reporting to inform business decisions. Finance is probably the most mature, measuring among other things return on investment, sales, orders, backlog, profit, revenue – the list goes on. Security should be treated no differently with one caveat, don’t expect the reporting and metrics to be as mature as the other functions on day one.

Security is not finance and truthfully we are all still figuring out the right things to measure and report.  It will vary by the maturity of each individual organization. Be patient and expect an evolution of the value and fidelity of the reporting.

3: How does our cybersecurity program apply industry standards and best practices?

This is critical and again no different from how you measure the rest of your business. Finance may follow Generally Accepted Accounting Principles (GAAP). Other parts of your organization will use Capability Maturity Model Integration (CMMI). Security should be held to the same level of rigor and accountability. Depending on your industry and level of maturity there are several to choose from including NIST Special Publication 800-53 and the recently released Center for Internet Security Releases Critical Security Controls for Effective Cyber Defense Version 6.0. Pick a framework and conduct an assessment against it to measure your maturity.

4: How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?

Again, metrics and reporting are critical here. How do you measure the effectiveness of your incident response? Remediation time? Dwell time? Return to operation for the impacted business? By business line to understand the target?  These questions can all be solved with valuable metrics that make sense for your organization.

5: How comprehensive is our cyber incident response plan? How often is the plan tested?

In mature organizations, the plan gets tested every day by real threats. If you are just beginning to think about building your capability any gaps will be discovered and improvements recommended if/when you conduct an assessment of your entire security program against industry standards and best practices.

How Can CyberSheath Help Your Organization?

CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards.  The value of having an assessment and the data it yields enables your organization to create a roadmap based on metrics that emphasize priorities for your short and long term goals.  Beginning with an assessment of your organization’s security environment will allow you to better evaluate the five questions discussed above and set a mark you can measurably improve upon.