The two-way conversation you need to have with your CEO on cybersecurityBlog
A CISO’s guide to tough cybersecurity conversations
With cyberattacks featuring regularly in mainstream news, it’s good to see that Boards and CEOs are becoming more cybersecurity conscious. But, how prepared are you to deal with their questions or concerns? And moreover, what are the key things you need them to understand about cybersecurity?
Here are the 10 questions you need to be able to answer, as your CEO is likely to ask (if they aren’t already):
1. What is our current level of cyber risk?
Additional things to consider: What are the threats, risks and vulnerabilities to us as a business? How well are we positioned to address them under our current cybersecurity posture?
2. How much of our cyber risk is internal vs external?
Additional things to consider: Do I have to worry about insider threats (malicious or not)? Are we further exposed or at risk by partners, suppliers and vendors?
3. How well are we positioned to deal with cyberattacks and risks?
Additional things to consider: Do we have the right cybersecurity technology, tools, capabilities, skills and expertise to deal with the risks? How sound is our cybersecurity posture in the context of the global threat/industry/our business threat landscape?
4. What is our incident response and disaster recovery plan?
Additional things to consider: Will we be able to react quickly in the event of a cyberattack? How well are you integrated with our legal and communication teams should there be an issue?
5. Is our data secure?
Additional things to consider: How do we secure data when it is in-motion, in-use and at-rest? Are we meeting our compliance obligations? What we do if there was a data breach?
6. How do we educate and enable our employees on cybersecurity?
Additional things to consider: What do we need to do to ensure our employees aren’t putting us at risk? How do we protect our employees from being a target?
7. What would be the cost to our business of a successful attack?
Additional things to consider: What are some examples of successful attacks and what has been the damage in terms of financial losses, brand and reputational damage, legal exposure and market competitiveness (in the case of IP theft)?
8. Do we need cybersecurity insurance?
Additional things to consider: What is cybersecurity insurance? What’s covered? What’s excluded? What do we need to have in place to fulfil our insurance obligations and be covered if something does occur? i.e. what’s in the fine print? And what’s the cost involved?
9. Where do we rank compared to other organisations in terms of cybersecurity preparedness?
Additional things to consider: What are my peers and competitors doing? What can we learn from other industries? Are we doing more or less than we should? What should we be doing differently?
10. What role do you need management to play in effective cybersecurity management?
Additional things to consider: What roles do senior leaders and the board play in managing and overseeing the cyber incident response? Building a security mindset into our corporate culture?
And here are the 5 key things you need your CEO to understand about the changing role of cybersecurity, and some key talking points:
1. We need to be secure by design:
- Cybersecurity can no longer be an afterthought as we build, manage and rollout digital transformation strategies and initiatives that deliver business outcomes; we must now be secure by design.
- Secure by design is two-pronged:
- It starts with a cybersecurity-mindset into the overall corporate and digital strategies.
- And it requires the development of a SecDevOps culture, so that as we build and deploy the actual technologies and services we’ll use as a business, we’ve considered security from the get-go, rather than incurring additional costs and time to redesign and add it in later.
2. We need an enterprise risk-profile that we can align IT/Security plans to:
- What is our direction, and what are our goals and objectives as a business? Are we steady-state, in which case, fewer innovations are perhaps needed, or are we truly trying to transform the way we do things, in which case there will be many changes across the business?
- What are our legal obligations? In other words, where can we make no exceptions and take zero cybersecurity risks – i.e. data and privacy regulations, ensuring we meet our compliance requirements.
- Where are we not willing to take risks? i.e. protecting your intellectual property.
- What types of risks are we willing to accept? i.e. Bring-your-own-device or application, because the productivity and usability outweighs the potential known risks to our business.
3. Our digital footprint is growing, whether IT knows about it or not:
- A digital footprint is more than infrastructure we sanction to deploy (e.g. network, data centre).
- It’s also whatever we share with our customers, suppliers and partners; or the BYOD/IoT devices connecting to our network; the app built for a one-time marketing event; its official and fake social media accounts, websites and applications that represent our employees and our business; and, it’s the decentralised technologies business units deploy without checking with IT or security teams first.
- We need to ensure we have the capabilities to manage this growing footprint – its growing exponentially.
4. More money doesn’t mean fewer problems – we need to invest smartly
- Spending more money doesn't necessarily make us more secure or reduce our risk.
- We need to make sure that money is spent in the right way for our organisation.
- What informs how we spend effectively is our risk-profile and our cybersecurity posture.
5. We need to be more intelligent and predictive with cybersecurity.
- One key area that we need to invest in is predictive intelligence.
- We can get cybersecurity right 99% of the time, but attackers only need to exploit the 1% in order to do tremendous damage to our business.
- Predictive intelligence helps us to stay one step ahead of cybercriminals because we understand where and when the plan to act next.
- This creates a dynamic, rather than a static cybersecurity posture and helps to ensure we are flexible and agile against the changing threat landscape and risks to our business.
- We’ll also be applying our resources to where it matters.