CEOs and board members don’t need to be experts on cybersecurity, but they do need to be armed with a certain amount of information to do their jobs effectively, particularly in today’s environment of increased accountability. So how do you know what to ask your teams?
This is a common problem. When it comes to cybersecurity, what you don’t know can hurt you. Recognizing this, the U.S. Department of Homeland Security worked with current and former executives to create five simple questions that CEOs and other ranking executives can ask the technical team to drive better security practices. They are:
- What is the current level and business impact of cyber risks to our company, and what is the plan to address identified risks?
- How is executive leadership informed about the current level and business impact of cyber risks to our company?
- How does our cybersecurity program apply industry standards and best practices?
- How many and what types of cyber incidents do we detect in a normal week, and what is the threshold for notifying executive leadership?
- How comprehensive is our cyber incident response plan and how often is the plan tested?
The team that coordinated the Cybersecurity Framework also provided recommendations to help business leaders align their cyber risk policies with these questions. First and foremost, they said, it is critical for CEOs to incorporate cyber risks into existing risk-management efforts. It may seem like a simple concept, but with cybersecurity the default practice is often to silo considerations about risks into a separate category apart from thinking about their valuable assets. Company leadership has to start by identifying what is most critical to protect.
The process of aligning a company’s core values with its top IT concerns is a journey and not something that can be solved in one big investment or board meeting. Just like any risk analysis, it requires serious consideration and thought about what is most important to core business practices. The five questions outlined above provide a great starting point for board members and executive management looking to mitigate risk.