The continuous coverage of network breaches and data leaks, indicates that information security has become a dangerous blind spot for many businesses. This is making it critical for CEO’s to familiarise themselves with their organisation’s internet security policies and procedures, as they become increasingly accountable for any failures.
The CEO of a company, can’t know in detail about everything that goes on in their organisation, however, a good CEO can ask the right questions and ensure the right management staff are assigned to protect the data assets of their organisation.
Questions every CEO should be asking include:
1. When did we last do a data inventory? – Unless your security team has searched your company to discover all its sensitive and confidential data, how will they know what to protect? Make sure your organisation has done a data inventory, and regularly repeat the process to make sure your understanding of data assets stays current.
2. Can you give me the what, where, who, and why for all our data assets? – After a data inventory, your security team should know about all the intellectual property (IP) and personally identifying information (PII) your organisations stores, whether it belongs to you or your customers. They need to know how important each type of data is, where it gets stored, who has access to it, how they share it, and why your organisation needs it. If your company doesn’t really need it, there is no reason to take the liability associated with storing it.
3. How are we protecting the systems that store our sensitive data? – Your security team should be able to tell you what controls they have in place to protect the most sensitive data. As the CEO, it’s not your responsibility to understand what technical controls are needed, rather, you should make sure that your team is spending most of their time and budget on the right data assets.
4. How is the efficacy of our security systems being measured? – Measuring results to achieve success is a factor of business and is just as relevant when assessing security. Different members of the team may give different answers, such as external auditors, internal pen-testing, infection/infiltration statistics, uptime and downtime analysis, etc. The actual answer doesn’t matter too much, as long as they have an answer! The goal here is to make sure that your security team is actually trying to measure their results.
5. Can you show me your risk assessment for our various data assets? – Good security professionals should use risk assessment formulas to make decisions. Though they differ slightly, the generic risk assessment equation is essentially, risk equals the probability of a loss multiplied by the magnitude (cost) of the loss. Applying this simple formula to the data you have will help your security team figure out how much to spend to protect various assets and ensure they are spending time and money on protecting the right assets.
6. Can you show me any security or network reports? – If your security team is really monitoring your organisation properly, they will have graphic reporting systems that can show you substantial amounts of information about your network and organisation. It is important you are across this information for two reasons. Firstly, you want to make sure that your team is regularly analysing the reports themselves. These sorts of reports can often help security professionals recognise anomalies in your network, which could be a sign of an attack. Secondly, you may be pleasantly surprised to find content in these reports that can help your business, particularly in relation to productivity issues, or other business challenges.
7. Do we have an incident response and disaster recovery plan? – We’ve all heard the saying, “the best laid plans of mice and men oft go awry.” It’s a cliché because it’s true. No matter how well prepared your security team is, one day your organisation will have an incident or a breach. A good security team has a plan in place to quickly react to and handle such a situation, with little or no downtime to your business. Most importantly, have they actually tested their disaster and recovery plan?
8. Have all our employees received security awareness training? – All the technical security controls money can buy won’t protect you from ignorant users doing silly things. Often, the weak link in security is human, not technical. Ask your security team if they have given employees security awareness training, and if not, ask them to institute a training program immediately.
9. Do we have a software and hardware asset lifecycle? – Your security professionals probably already understand the security benefit in patching software and firmware. However, they may not have considered the full product lifecycle. Eventually, products go end-of-life, and do not receive any further security updates. When this happens, an old, legacy product can become the weak chink in your organisation’s armour. Windows XP is a perfect example of this. Microsoft will no longer support it, yet many products still rely on it. Make sure you security team has a plan to decommission old systems so that they don’t expose vulnerabilities in your network.
10. Who’s ultimately accountable for your organisation’s information security? – If you already have a CISO at your organisation, this question is moot. However, if you don’t, you need to consider it. If you really want your security team to take strong ownership of your corporate defences, you have to assign accountability. There needs to be one security professional that is ultimately accountable for your data security. At larger organisations, this could be a CISO or CSO, but if your organisation is too small for those roles, assign an information security manager and hold him or her accountable when your company has an incident.