Ten Things Every CEO Should Ask about Security in their Organisation

Author: David Higgins, ANZ Country Manager, WatchGuard Technologies

The continuous coverage of network breaches and data leaks, indicates that information security has become a dangerous blind spot for many businesses. This is making it critical for CEO’s to familiarise themselves with their organisation’s internet security policies and procedures, as they become increasingly accountable for any failures.

The CEO of a company, can’t know in detail about everything that goes on in their organisation, however, a good CEO can ask the right questions and ensure the right management staff are assigned to protect the data assets of their organisation.

Questions every CEO should be asking include:

1. When did we last do a data inventory? – Unless your security team has searched your company to discover all its sensitive and confidential data, how will they know what to protect? Make sure your organisation has done a data inventory, and regularly repeat the process to make sure your understanding of data assets stays current.

2. Can you give me the what, where, who, and why for all our data assets? – After a data inventory, your security team should know about all the intellectual property (IP) and personally identifying information (PII) your organisations stores, whether it belongs to you or your customers. They need to know how important each type of data is, where it gets stored, who has access to it, how they share it, and why your organisation needs it. If your company doesn’t really need it, there is no reason to take the liability associated with storing it.

3. How are we protecting the systems that store our sensitive data? – Your security team should be able to tell you what controls they have in place to protect the most sensitive data. As the CEO, it’s not your responsibility to understand what technical controls are needed, rather, you should make sure that your team is spending most of their time and budget on the right data assets.

4. How is the efficacy of our security systems being measured? – Measuring results to achieve success is a factor of business and is just as relevant when assessing security. Different members of the team may give different answers, such as external auditors, internal pen-testing, infection/infiltration statistics, uptime and downtime analysis, etc. The actual answer doesn’t matter too much, as long as they have an answer! The goal here is to make sure that your security team is actually trying to measure their results.

5. Can you show me your risk assessment for our various data assets? – Good security professionals should use risk assessment formulas to make decisions. Though they differ slightly, the generic risk assessment equation is essentially, risk equals the probability of a loss multiplied by the magnitude (cost) of the loss. Applying this simple formula to the data you have will help your security team figure out how much to spend to protect various assets and ensure they are spending time and money on protecting the right assets.

6. Can you show me any security or network reports? – If your security team is really monitoring your organisation properly, they will have graphic reporting systems that can show you substantial amounts of information about your network and organisation. It is important you are across this information for two reasons. Firstly, you want to make sure that your team is regularly analysing the reports themselves. These sorts of reports can often help security professionals recognise anomalies in your network, which could be a sign of an attack. Secondly, you may be pleasantly surprised to find content in these reports that can help your business, particularly in relation to productivity issues, or other business challenges.

Read more: The Active International Response to Cyber Crime

7. Do we have an incident response and disaster recovery plan? – We’ve all heard the saying, “the best laid plans of mice and men oft go awry.” It’s a cliché because it’s true. No matter how well prepared your security team is, one day your organisation will have an incident or a breach. A good security team has a plan in place to quickly react to and handle such a situation, with little or no downtime to your business. Most importantly, have they actually tested their disaster and recovery plan?

8. Have all our employees received security awareness training? – All the technical security controls money can buy won’t protect you from ignorant users doing silly things. Often, the weak link in security is human, not technical. Ask your security team if they have given employees security awareness training, and if not, ask them to institute a training program immediately.

9. Do we have a software and hardware asset lifecycle? – Your security professionals probably already understand the security benefit in patching software and firmware. However, they may not have considered the full product lifecycle. Eventually, products go end-of-life, and do not receive any further security updates. When this happens, an old, legacy product can become the weak chink in your organisation’s armour. Windows XP is a perfect example of this. Microsoft will no longer support it, yet many products still rely on it. Make sure you security team has a plan to decommission old systems so that they don’t expose vulnerabilities in your network.

10. Who’s ultimately accountable for your organisation’s information security? – If you already have a CISO at your organisation, this question is moot. However, if you don’t, you need to consider it. If you really want your security team to take strong ownership of your corporate defences, you have to assign accountability. There needs to be one security professional that is ultimately accountable for your data security. At larger organisations, this could be a CISO or CSO, but if your organisation is too small for those roles, assign an information security manager and hold him or her accountable when your company has an incident.

Join the CSO newsletter!

Error: Please check your email address.

Tags data inventorysecurity awarenessnetwork breachesrisk assessmentCSO Australiasensitive datadata leaksmanagementCEOsecurityTen Thingssecurity teamCISOdata assets

More about CSOMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Higgins

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts