The Five Questions CEOs Should Ask To Improve Security

By Eric Noonan • October 16, 2015

Recently the New York Stock Exchange (NYSE) released a cybersecurity guide for public companies and succinctly captured 5 questions CEO’s should ask to improve security. I have reposted the questions here in addition to some thoughts and context as to the “so what” behind the answers to these questions. 

The Five Questions CEOs Should Ask To Improve Security

1: What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?

Risk is hard to quantify, but you have to try. The effort spent measuring risk can often reveal decisions narrowly made through the filter of budget pressures without the business explicitly accepting the risk resulting from those decisions. We’ve worked with organizations obsessed with management by headcount – don’t go over X number – without understanding the consequences of that broadly applied guidance.

CEO’s should explore and push their teams to quantify the maturity of processes and the number of people in place to support tool investments. More often than not organizations have more tools than can be effectively deployed and supported with the existing staff. The risk discussion has to go beyond tools and delve into the effectiveness of those tools in addressing risk.

Ironically, this is no different than the rest of the business.  Your Enterprise Resource Planning system, for example, doesn’t do anything without the people and processes to make it run effectively. Don’t let the security risk discussion start and stop with the products you have purchased.

2: How is our executive leadership informed about the current level and business impact of cyber risks to our company?

At a mature company, every other business enabling or supporting function has a set of metrics and reporting to inform business decisions. Finance is probably the most mature, measuring among other things return on investment, sales, orders, backlog, profit, revenue – the list goes on. Security should be treated no differently with one caveat, don’t expect the reporting and metrics to be as mature as the other functions on day one.

Security is not finance and truthfully we are all still figuring out the right things to measure and report.  It will vary by the maturity of each individual organization. Be patient and expect an evolution of the value and fidelity of the reporting.

3: How does our cybersecurity program apply industry standards and best practices?

This is critical and again no different from how you measure the rest of your business. Finance may follow Generally Accepted Accounting Principles (GAAP). Other parts of your organization will use Capability Maturity Model Integration (CMMI). Security should be held to the same level of rigor and accountability. Depending on your industry and level of maturity there are several to choose from including NIST Special Publication 800-53 and the recently released Center for Internet Security Releases Critical Security Controls for Effective Cyber Defense Version 6.0. Pick a framework and conduct an assessment against it to measure your maturity.

4: How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?

Again, metrics and reporting are critical here. How do you measure the effectiveness of your incident response? Remediation time? Dwell time? Return to operation for the impacted business? By business line to understand the target?  These questions can all be solved with valuable metrics that make sense for your organization.

5: How comprehensive is our cyber incident response plan? How often is the plan tested?

In mature organizations, the plan gets tested every day by real threats. If you are just beginning to think about building your capability any gaps will be discovered and improvements recommended if/when you conduct an assessment of your entire security program against industry standards and best practices.

How Can CyberSheath Help Your Organization?

CyberSheath offers security assessments to help your organization begin with a clear understanding of where you stand in regards to industry standards.  The value of having an assessment and the data it yields enables your organization to create a roadmap based on metrics that emphasize priorities for your short and long term goals.  Beginning with an assessment of your organization’s security environment will allow you to better evaluate the five questions discussed above and set a mark you can measurably improve upon.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC - How It Started. How It's Going. Join Us for a Live Webinar April 21, 2021 at 12:00 pm EST.