The best business decisions are often made based on senior leadership’s confidence in facts, figures and calculations made by appropriate parties within the organization. Relying on gut instinct - or worse, potentially false or incomplete information - is a dangerous road to travel, especially when it comes to cybersecurity.
Whereas gut instinct may have a place in marketing, sales, or other facet of the business, the planning, implementation, and verification of security operations require facts to be complete and accurate. You need to have all the answers to every possible question at any time.
We've put together the critical questions for non-technical leaders within your organization to know to ask to ensure that you have a complete and accurate security picture in order to make the best decisions possible.
For each of the questions below, keep in mind that the individual responses need to address the following two questions to start:
Are you sure?
Cybersecurity expectations should be measured against the reality of implementation of processes, procedures, education, and verification. False assumptions or beliefs about security conditions are often found after a major security incident. These inaccurate understandings can lead to security gaps and unmitigated risks that are later found to be a predominant cause of a breach.
Why are you sure?
Refrain from basing a business decision after being told that “all is good” without supporting evidence from responsible parties. Request or even require independent testing, then review those results to ensure a high level of compliance and confidence
1. DO WE KEEP A LIVE INVENTORY OF ASSETS?
Maintaining an accurate inventory of both physical and virtual assets, including all devices, licenses, and policies, is critical to knowing the scope of the "What" that's needed to be secured to drive your cyber posture and potential vulnerabilities.
2. ARE OUR EMPLOYEES PROPERLY TRAINED ABOUT CYBERSECURITY?
How do we measure their knowledge/preparedness? It’s not enough to just train employees once and assume they're good to go. It's critical to have implemented both a training as well as a recurring testing program to keep them vigilant. Remember - beyond the technology, your staff are actually your first line of defense when it comes to phishing, CEO fraud, ransomware, and other human based vulnerabilities.
3. DOES OUR CYBERSECURITY STRATEGY ADDRESS BUSINESS RISK?
How? Many employees don’t fully understand the business impact of a major cyber incident, whether intentional or accidental, until they are in the fog of war. It is vitally important to be aware of the cascading impacts of a potential incident, from a basic outage to a major disaster or even a full loss of access and control in a ransomware event. You cannot possibly build a plan without fully understanding the ramifications of not doing so.
It’s important to have the ability to recover from a ransomware incident without paying a ransom. However, the ability to operate during an attack is also worth investigating. What are the minimum continuity requirements for the organization, are we prepared to meet them, and can the IT team prove it?
4. WHAT WOULD AN ATTACK ON US LOOK LIKE?
How would someone attack us, infect our systems with ransomware, steal our data, and otherwise cause us potentially severe disruption and losses? Answers to this can be very enlightening. It is rare that technology leaders don’t know of weaknesses within their environment that could be leveraged to harm the organization.
Knowing what your technology team thinks is a critical factor in understanding your risk. Are they equipped to make necessary decisions in a vacuum, or should they be made with support from higher level leadership? Even CIOs may often have a more myopic view of some issues that could benefit from a wider discussion of company risk exposure and tolerance levels
5. IF WE WERE HIT BY AN ATTACK, HOW CONFIDENT ARE WE THAT WE CAN RECOVER QUICKLY?
Many organizations don't plan for recovering from a major attack quickly. Key issues such as reducing downtime, preventing, or minimizing revenue loss, addressing customers’ experiences during a recovery, and minimizing recovery costs must be addressed before an incident occurs. The absence of such a plan could create chaos while trying to recover systems and data and critical systems may not be available in a reasonable time as required by the business.
In addition, it's not enough to simply have a plan. Environments are constantly changing, so organizations must frequently review recovery plans, prepare for a potential attack by testing those plans, and adjust as needed. Often, one of the key missing components from a business continuity perspective is having redundant or duplicate devices on hand as backup to sole failure points.
Ask for evidence of the following:
- Incident Response Plans
- Disaster Recovery Plans
- Business Continuity Plans
6. WHAT PREVENTATIVE MEASURES HAVE WE IMPLEMENTED TO PROTECT OUR COMPANY?
In order to properly evaluate an organization’s cybersecurity program, it’s critical for business leadership to understand the current protection systems in place. In particular, the tools deployed to prevent or reduce these cyber threats from impacting the organization. These systems should be verified, documented, and tested frequently with detailed reporting output.
7. HOW DO YOU MEASURE AND MANAGE OUR CYBERSECURITY PROGRAM?
In order to maintain an ever-evolving, ever-maturing security program, it’s paramount that your organization leverage clear objectives and metrics wherever possible. The beauty of a cybersecurity program is that all initiatives ultimately lead back to tangible risks, which allows for your organization to establish a quantifiable action to address them.
These metrics can be something simple, like a calculation of how many of your IT controls passed vs. failed during an assessment, or how many new hires had a background check and how many did not. One of the key elements of building an evolving security program is that as your program matures, your metrics become more advanced.
8. HOW DO YOU DETERMINE THE APPROPRIATE BUDGET FOR TECHNOLOGY RISK MANAGEMENT?
As cyber threats continue to increase, aligning appropriate budget with technology risk management needs to be a top priority. Cybersecurity spend is like having insurance. It may be hard to measure, but it's required to reduce risk of revenue loss, customer information, intellectual property, company downtime, and impact to reputation.
No matter how many technology companies you have incorporated or how good you believe your cyber hygiene is, there’s always room for improvement. Most CISOs and companies don’t have an infinite budget, but cybersecurity spend is an essential cost of doing business.
Experts advise that 10% to 15% of an organization’s IT budget be allocated for protection against data breaches and cybersecurity attacks. The higher your current risk, the larger the investment needed.
9. WHAT TYPES OF RISKS ARE CURRENTLY THREATENING OUR NETWORK/SYSTEMS?
How do we know we have full visibility of those threats? Do we have visibility across all systems
or just critical infrastructure? What steps (if any) have we done to reduce them?
Managing risk and ensuring continuity takes an organization level commitment to a culture of resilience. Many areas for improvement are operational: a lack of proper planning and preparation for adversity, siloed teams without insight into systemwide operational interdependencies or aligned to business risk, and the transformation of risk management to an operational activity.
Resilience requires bringing the areas of risk management, business continuity, and IT/Dev/Sec ops together to produce a secure by design operational process supporting mission critical functions.
Of course, each business is different, and not all data, infrastructure, applications, systems, and source code are equally mission-critical or valuable to that organization. On the other hand, access to some seemingly less critical systems can serve as an entry point for an attacker as everything is connected and one human or technical error can lead to a crippling attack.
As an IT security service provider with over 30 years of experience, we've seen a lot of things over the years. And more and more of what we're seeing these days as it relates to security hacks, breaches, and threats is, unfortunately, the result of too many businesses NOT taking cybersecurity seriously enough.
If you don't know where your business stands concerning its cybersecurity stance to prevent future attacks, please download our free Cybersecurity Report Card to help you evaluate this.