Lighthouse Blog

Five Questions Every CEO Should Ask About Cyber Risks

Five Questions Every CEO Should Ask About Cyber Risks

Cyber risks are evolving quickly these days. For every organization, creating a risk aware culture is one of the top essential security practices. In the same way that CEOs focus on their organization’s financial and market position, it’s important that they understand their company’s security posture and gaps to effectively guide their organizations and create value.

That’s because a strong security posture can demonstrate a company’s commitment to due diligence, strengthen its reputation, and instill confidence in its customers. At the same time, it can mitigate more tangible risks related to security breaches, such as operational downtime, data loss, and negative financial impacts.

With this in mind, there are five key questions that CEO’s need to answer about their cybersecurity risk posture. In each of these areas, we believe that a consulting partner who can be a trusted security advisor is a key enabler in effectively answering each one.

 

1) How is our executive leadership informed about the current levels and business impact of cyber risks?

There are many ways to stay informed about your company’s security posture and how it stacks up to your industry. For example, workgroups, security conferences, and threat intelligence feeds are all solid tactical sources of research and information. However, if you don’t want to go through all of that research yourself or put your reputation on the line to make the technology decisions, a trusted advisor can be your safety net to help you choose the right security path.

Typically, we find that our clients are placing more and more faith into a trusted advisor to make strategic procurement decisions. By doing this, companies can push some risk onto a third party to make a determination that a technology is sufficient to protect them in a certain control category, such as network or application security. It’s a way of hedging a bet on changing technology by placing the bet on a trusted advisor instead of doing internal competitive analysis and independent research to find the right tool that might fit their tactical needs.

 

2) What is the current level and business impact of cyber risks to our company?

In terms of security, an organization needs to have some kind of litmus test to know what their baseline is. This “baseline” is known as their expected normal or “known good” state. Being able to measure against that baseline regularly is an important tool in understanding a company’s risk posture.

This produces trend analysis and delta reporting to identify what has changed since the last time an assessment was done. Whether your company or a third-party does the assessment, being able to understand the differential (or delta) between the previous report results and the current report results should give you an idea of the direction that your organization is heading in regarding your maturity: whether or not you are improving or regressing.

After the baseline is established and there is an understanding of current trends, an organization can prove out the impact of certain findings. In order to validate those findings, an organization can leverage a third party to actually emulate an attack pattern of an adversary. That would be in the form of proactive security assessments including ethical hacking and penetration testing to prove out the impact.

 

3) How does our cybersecurity program apply industry standards and best practices?

An organization’s security responsibility starts with looking at what requirements they have in terms of regulatory compliance. As you expand your security controls scope, it may include additional considerations. This is an iterative in approach. Once a framework is identified and security controls can be mapped to that framework, then you can clearly and consistently see where control gaps exist.

From there, those gaps should be weighed against potential outcomes, and your company should apply controls that are technical in nature to enforce the standards that are in place. The idea is that the policy or standard matches the control requirement and that requirement needs to be technically enforced. Therefore, that final piece—which is the enforcement level—leverages technology to enforce those policies and produces an audit trail that is repeatable, produces evidence, and illustrates due diligence, eliminating doubt and uncertainty.

 

4) With so many varied threats coming in weekly, how do we make sense of the noise and prioritize our response?

Instead of focusing on how many (or what type of) cyber incidents your company experiences in a week, a different approach is to understand where patterns are and what common elements can be considered as routine and repeated by the attackers.

This is done using threat modeling, which works backwards from a problem outcome. If the negative outcome is application downtime, the threat model is focused on eliminating downtime on the application. And that means the company can’t have downtime on the web server. Every potential contributing factor to application availability risk (downtime) is analyzed, and the approach goes down the list to mitigate every identified contributing factor.

This contrasts with the traditional enterprise cybersecurity approach, which is the opposite. In that traditional model, a company groups issues looking for the least common denominator, the most critical finding, the easiest vulnerability to exploit, and then chips away at it until they get to the center of the issue. Threat modeling, however, is a very pointed, specific defensive technique to try and combat or mitigate a very specific attack, maximizing the return on the organization’s investment of cybersecurity.

 

5) How comprehensive is our cyber incident response plan and how often is it tested?

In order to gauge the comprehensiveness of your incident response plan, certain elements need to truly be tested with the team that will actually use it. That’s because an incident response policy is great to have, but if it’s not actionable, hasn’t been used recently, or is difficult to locate, it’s not going to do the Computer Security Incident Response Team (CSIRT) much good. Like a fire extinguisher buried at the bottom of a coat closet, it’s not going to be of much use if it’s not in the kitchen where it might be needed immediately.

 

Moving forward

While cyber risks are always evolving, right now is a particularly challenging time as more workforces work from home. This is something that historically a lot of industries—such as the financial sector—have not needed to address in this way. Many companies have made concessions, which has created an expanded threat surface and a lot of low hanging fruit for global attackers.

Though it seems like things are changing every day, a trusted advisor like Converge can help keep you abreast of not just changes in legislation and compliance, but also the technology landscape. This provides the organization’s decision-makers with the frontline insight needed to produce a sound cybersecurity risk management framework that supports and strengthens your organization’s cybersecurity strategy, meets operational goals, and aligns with your corporate mission.

 

Related Posts
Security Top Announcements from Microsoft Inspire: Azure, Teams, and Security