In this environment of cyber threats, it is essential for CEOs and other executives to monitor that their organizations understand their exposure to cyber security risks and take appropriate measures to safeguard their IT systems, data stores, and other points of vulnerability.
Below are six questions that CEOs and senior executives should be asking their IT team:
1. Does the Organization Possess a Formal Cyber Security Program that is Regularly Updated?
An organization’s security program should be a holistic effort that considers its industry, regulatory compliance requirements, available resources, and other unique features. Moreover, an organization should continually update its cyber security program to reflect shifting needs and growing threats.
2. Does the Organization Have a Cyber Security Leader?
A formal cyber security program is a blueprint for action – not an agreement that an organization will, in fact, take action. The latter requires a designated leader with the backing, influence, and resources to execute a plan, to enforce compliance, and to make sure that cyber security continues to be a high priority throughout the organization. Many organizations designate a chief information security officer (CISO) for this objective.
There is no perfect model for the structure of a cyber security team. Some organizations implement a centralized cyber security function for both operations and governance; others utilize a hybrid model that assigns certain accountability to business units.
3. Does the Cyber Security Team Understand its Role?
One way of knowing if the cybersecurity team is performing its task is to make sure that they have conducted a thorough cybersecurity inventory evaluation. Such an inventory should contain input from the IT group and business units; it should also include feedback from partners and vendors that manage or have access to vulnerable systems and data.
Once a cyber security team has finished its inventory, the next stage is to evaluate and prioritize risks. Some data sources are vulnerable if an attack compromises their accuracy and integrity or intervenes with data availability for crucial business activities.
Lastly, think about the role that a cyber security team performs in protecting and training employees – particularly senior executives with access to sensitive data. Research shows that executives often misinterpret data security protocols, and a proactive cyber security program can employ training, monitoring, and other methods to tackle this dilemma.
4. Does the Organization Have Processes in Place for Detecting and Confining Cyber Attacks?
It is understandable that many cybersecurity organizations place substantial emphasis on averting attacks. Yet it is equally vital to improve an organization’s ability to detect attacks, to confine or contain the damage from such attacks, and to assemble valuable information about potential or future attackers’ identities, motives, and tactics. Thus, more organizations now engage threat assessment teams.
Another route, (particularly for smaller organizations), is to employ a managed security service provider (MSSP) to perform threat assessment and intelligence-gathering activities. Although an MSSP can be valuable as part of a cyber security plan, it is still important for organizations to manage and evaluate their MSSP’s performance.
5. Does the Organization Have a Comprehensive Plan for Responding to Cyber security Threats?
Even the most state of the art cybersecurity programs are liable to experience occasional breaches. Therefore, it’s crucial that an effective cybersecurity program include a comprehensive plan for reacting to data breaches. An organization’s plan should include details such as:
- Implementing a core incident response team that contains a small group of principal stakeholders and is capable of moving quickly to initiate a response;
- Regular testing of the incident response plan; and
- Employing and retaining contractors or service providers whose services will be needed after an attack has taken place, (with the objective of having these providers available quickly).
6. Does the Organization Utilize Testing, Assessments, and Continuous Improvement as Central Elements of its Cyber Security Plan?
Continuous assessment and improvement is important in today’s continually changing cybersecurity environment. In addition to updating the organization’s formal cybersecurity plan, a continuous improvement process includes third-party penetration testing, risk assessments, and network security assessments. These types of independent assessments are useful for obtaining an unbiased view of an organization’s cybersecurity practices.
Whether or not an organization can provide fitting answers to all of these questions, it is important for executives to accept that cybersecurity is not an activity with a fixed goal or an exercise in compliance. Attackers are continually improving their methods; as a result, this is a struggle where negligence and complacency can produce harmful outcomes for an organization. Fortunately, with the right leadership and an attentiveness to dedicate cybersecurity the attention it requires, reducing exposure to cyberattacks is possible. Cybersecurity is a challenge with the highest possible risks for all types of organizations, and it is one where the right executive vision and leadership can have a significant effect on the outcome.
The Litcom Approach
Want to learn more? Litcom will help your organization develop an information security program that is effective, adequate to your organization culture, and cost effective. We offer professional consulting services for organizations to select, plan, and implement information security products and solutions in areas such as:
- Security Information and Event Management (SIEM) technologies;
- Intrusion Detection and Intrusion Prevention Systems (IDPS);
- Identity and Access Management Solutions (IAM) and
- Security Architecture and Design.
We help our clients progress through the various selection stages from requirement definition, to development of Request for Proposals (RFP), to vendor evaluation and contract negotiation, and to project management and implementation. For more information, please contact us at: firstname.lastname@example.org.