Our site uses cookies to make it work and to help us give you the best possible user experience. By using our site, you agree to our use of cookies. To find out more about cookies and how you can disable them, please read our cookies statement. 

Cookie Settings

You can manage your cookie settings by turning cookies on and off.

Click on the different cookie  headings to find out more about the types of cookies we use on this site and to change your settings. Please be aware that if you choose to turn off  cookies, certain areas of our site may not work and your browsing experience may be impacted.

For further information on how we use cookies, please see our cookies statement. 

Strictly Necessary Cookies


These cookies are essential for the technical operation of and proper functioning of our site  and enable you to register and login, to easily move around our site, and to access secure areas. Without these cookies our site won't function properly.  

These cookies are required

Performance Cookies

Performance cookies allow us to collect aggregated and anonymous data on how our site is used, such as the number of visitors to our site, how you navigate around and the time spent on our site and also to identify any errors in functionality. These cookies also help us to improve the way our site works by ensuring that you can find what you’re looking for easily, to better understand what you are interested in and to measure the effectiveness of the content of our site. 

Marketing Cookies

These cookies allow us to advertise our products to you and allow us to pass this information on to our trusted third parties so that they can advertise our products to you on our behalf. All information these cookies collect is aggregated and therefore anonymous. No personal information is shared to third parties. Any personal information collected while using our website could be used for direct marketing from Dimension Data only.

The two-way conversation you need to have with your CEO on cybersecurity


A CISO’s guide to tough cybersecurity conversations  

With cyberattacks featuring regularly in mainstream news, it’s good to see that Boards and CEOs are becoming more cybersecurity conscious. But, how prepared are you to deal with their questions or concerns? And moreover, what are the key things you need them to understand about cybersecurity?

Here are the 10 questions you need to be able to answer, as your CEO is likely to ask (if they aren’t already):

1. What is our current level of cyber risk?

Additional things to consider: What are the threats, risks and vulnerabilities to us as a business? How well are we positioned to address them under our current cybersecurity posture?

2. How much of our cyber risk is internal vs external?

Additional things to consider: Do I have to worry about insider threats (malicious or not)? Are we further exposed or at risk by partners, suppliers and vendors?

3. How well are we positioned to deal with cyberattacks and risks?

Additional things to consider: Do we have the right cybersecurity technology, tools, capabilities, skills and expertise to deal with the risks? How sound is our cybersecurity posture in the context of the global threat/industry/our business threat landscape?

4. What is our incident response and disaster recovery plan?

Additional things to consider: Will we be able to react quickly in the event of a cyberattack? How well are you integrated with our legal and communication teams should there be an issue?

5. Is our data secure?

Additional things to consider: How do we secure data when it is in-motion, in-use and at-rest? Are we meeting our compliance obligations? What we do if there was a data breach?

6. How do we educate and enable our employees on cybersecurity?

Additional things to consider: What do we need to do to ensure our employees aren’t putting us at risk? How do we protect our employees from being a target?

7. What would be the cost to our business of a successful attack?

Additional things to consider: What are some examples of successful attacks and what has been the damage in terms of financial losses, brand and reputational damage, legal exposure and market competitiveness (in the case of IP theft)?

8. Do we need cybersecurity insurance?

Additional things to consider: What is cybersecurity insurance? What’s covered? What’s excluded? What do we need to have in place to fulfil our insurance obligations and be covered if something does occur? i.e. what’s in the fine print? And what’s the cost involved?

9. Where do we rank compared to other organisations in terms of cybersecurity preparedness?

Additional things to consider: What are my peers and competitors doing? What can we learn from other industries? Are we doing more or less than we should? What should we be doing differently?

10. What role do you need management to play in effective cybersecurity management?

Additional things to consider: What roles do senior leaders and the board play in managing and overseeing the cyber incident response? Building a security mindset into our corporate culture?

And here are the 5 key things you need your CEO to understand about the changing role of cybersecurity, and some key talking points:

1. We need to be secure by design:

    • Cybersecurity can no longer be an afterthought as we build, manage and rollout digital transformation strategies and initiatives that deliver business outcomes; we must now be secure by design.
    • Secure by design is two-pronged:
      • It starts with a cybersecurity-mindset into the overall corporate and digital strategies.
      • And it requires the development of a SecDevOps culture, so that as we build and deploy the actual technologies and services we’ll use as a business, we’ve considered security from the get-go, rather than incurring additional costs and time to redesign and add it in later.
2. We need an enterprise risk-profile that we can align IT/Security plans to:

    • What is our direction, and what are our goals and objectives as a business? Are we steady-state, in which case, fewer innovations are perhaps needed, or are we truly trying to transform the way we do things, in which case there will be many changes across the business?
    • What are our legal obligations? In other words, where can we make no exceptions and take zero cybersecurity risks – i.e. data and privacy regulations, ensuring we meet our compliance requirements.
    • Where are we not willing to take risks? i.e. protecting your intellectual property.
    • What types of risks are we willing to accept? i.e. Bring-your-own-device or application, because the productivity and usability outweighs the potential known risks to our business.
3. Our digital footprint is growing, whether IT knows about it or not:

    • A digital footprint is more than infrastructure we sanction to deploy (e.g. network, data centre).
    • It’s also whatever we share with our customers, suppliers and partners; or the BYOD/IoT devices connecting to our network; the app built for a one-time marketing event; its official and fake social media accounts, websites and applications that represent our employees and our business; and, it’s the decentralised technologies business units deploy without checking with IT or security teams first.
    • We need to ensure we have the capabilities to manage this growing footprint – its growing exponentially.
4. More money doesn’t mean fewer problems – we need to invest smartly

    • Spending more money doesn't necessarily make us more secure or reduce our risk.
    • We need to make sure that money is spent in the right way for our organisation.
    • What informs how we spend effectively is our risk-profile and our cybersecurity posture.
5. We need to be more intelligent and predictive with cybersecurity.

    • One key area that we need to invest in is predictive intelligence.
    • We can get cybersecurity right 99% of the time, but attackers only need to exploit the 1% in order to do tremendous damage to our business.
    • Predictive intelligence helps us to stay one step ahead of cybercriminals because we understand where and when the plan to act next.
    • This creates a dynamic, rather than a static cybersecurity posture and helps to ensure we are flexible and agile against the changing threat landscape and risks to our business.
    • We’ll also be applying our resources to where it matters.
Previous Article: What I learned from hacking the Winter Olympics Next Article: Balancing risk and innovation

You may be interested in

Man working on computers

Protect your data from the inevitable ransomware attack

To cope with this new kind of threat, your backup and recovery strategy needs to adapt.

Read blog
Rocky ocean

What I learned from hacking the Winter Olympics

I used to think that technology was the answer to all security questions, but my experience post 9/11 taught me that governance should always be the starting point for security discussions.

Read blog

Balancing risk and innovation

There’s no question that digital is the way forward. It offers tremendous benefits to your business: faster speed to market, more business intelligence and improved customer relationships.

Read blog

Securing the multi-cloud

As economic and operational benefits of the cloud became clearer, business units aggressively drove cloud services adoption across the business.

Read blog