Cybersecurity measures should ensure that an organisation manages its cyber risks to an acceptable, functional level. To ensure this occurs continuously and comprehensively, executives must monitor the actions of their security teams and keep themselves updated on the business’s cybersecurity progress and strategies.
Below is a list of the top five questions every executive should ask their security team.
How Compliant Are We with Industry Standards and Frameworks?
Industries each have their own cybersecurity frameworks which are set out in laws, industry standards or are simply best practice.
Adhering to the correct and specific framework is important and often extremely helpful for effective enterprise-wide cybersecurity, reducing risk and saving time. It is important for a CEO to understand whether their company is complying with and effectively applying these frameworks.
Do We Have Adequate Transparency and Education for Staff and Executives?
Staff that are well-trained and educated on the types of cybersecurity threats facing them will serve as an efficient first-line of defence against cyberattacks. With new threats evolving continuously, it is important to ask whether this education is being updated periodically and effectively actioned across the company. Through awareness and education, staff can be equipped with the knowledge to detect and avoid cyberattacks and have the confidence to alert management if they’ve made a mistake or have found something odd.
It is also extremely important that a business is transparent about their state of cybersecurity, ensuring all staff are aware of the current and developing threats facing them in the workplace. A CEO must ensure the security team is open and executives are being kept up-to-date with the risks and impacts of cybersecurity.
How Often Do We Test and Update our Cybersecurity Strategies?
A CEO must ensure their cybersecurity strategies are mature and well-tested. These strategies can range from cyber incident response plans to penetration testing, with each requiring clarity and continuous tests. With technology changing daily, this is an essential consideration for any business and must be followed up by the executives.
What is the Current Threat Level?
A CEO must know what the current level and impact of the business’s identified cyber risks are, and what strategies are in place to deal with them. This often involves asking how many and what types of incidents are detected within the company, and what threshold standards are applied for alerting the executives of incidents.
What is Our Third-Party Vendor Policy?
Third party vendor security has been identified time and time again as one of the major risks facing companies today, with around 63% of all data breaches being linked to third-party access in 2016.
Hence, it is vital for a CEO to ask what the company’s policy is towards vendor security, whether the vendors are screened and tested and how well they are in control of their security safeguards. Looking for security certifications is a good first step, such as the SOC2 compliance for SaaS providers or the ISO27001 requirements for Information Security.
These five questions will enable a CEO to understand and monitor their company’s cybersecurity more efficiently. The answers will give an informative, somewhat simplified snapshot but will allow the executives to identify any shortfalls in the company’s cybersecurity policies.