Five questions CEOs should ask about cyber risks

Times have changed. For generations and decades before, we were concerned with a masked man breaking doors and windows of our business and cleaning out the cash register. But a far more frightening and unexpected threat has replaced the old smash and grab. Now, the most deadly and detrimental action to impact your business can occur at the hands of a guy sitting at his computer in his pajamas halfway around the world. Now, all it takes is a highly specialized set of skills and an Internet connection to bring your business to its knees.

Cybercrime has become a huge issue and no location, industry or organization is immune from cyber attack. Organizations have encountered a multitude of cyber threats with severe impacts and required security measures which should go beyond compliance.  Due to this reason, cyber risk must be managed at the most senior level in the same manner as other major corporate risks.

To properly manage cyber risk, the CEO must

  • Fully understand the organization’s cyber risks,
  • The organization’s plan to manage cyber risks, and
  • The organization’s response plan when the unavoidable breach occurs.

To tackle the Cyber Risk, Department of Homeland Security has listed 5 cyber security questions for CEO which will assist to guide leadership discussions about cybersecurity risk management for your organization.

1. How is our executive leadership informed about the current level and business impact of cyber risks to our organization?

C-level executives must be prepared to respond any cyber incident in the timely order and should efficiently minimize the business impact and for these executives must be aware of the current cyber risk. And also make sure to have a communication process between the executives and those responsible for risk management.

2. What are the current level and business impact of cyber risks to our organization? What is our plan to address identified risks?

The risk assessment must be performed by classifying critical assets and associated impacts from cyber threats will assist in prioritizing protective measures and allocating resources. Similarly, this is crucial to understanding an organization’s risk exposure – whether financial, competitive, reputational or regulatory. 

3. How does our cyber security program apply industry standards and best practices?

In the name of fulfilling compliance requirements, it does not satisfy comprehensive security program and fails to address new and dynamic threats or sophisticated attackers. The best option is to follow the industry best practices which can satisfy the compliance requirements and also enable timely response and recovery for security incidents.

4. How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?

Detecting anomalies in traffic and event patterns will ensure that cyber incidents are escalated and responded to accordingly. Regular communication between the CEO and those accountable for managing cyber risks provides awareness of associated risks and business impact. In order to detect, analyze and correlate data anomalies, the organization should recruit mature cybersecurity resources internally, or consider engaging a third party managed services provider.

5. How comprehensive is our cyber incident response plan? How often is it tested?

Early response actions can limit or even prevent damage caused by a cyber incident. Be sure to coordinate cyber incident response planning across the entire enterprise (Chief Information Security Officer, business leaders, system operators, continuity planners, general counsel and public affairs) to ensure you are ready for a cyber incident the moment it happens.

Leave a Reply

Your email address will not be published. Required fields are marked *