If you don’t have a board, then the CEO would be a great person to ask these questions. The key thing is that the CIO and CISO need to be able to answer them. The questions came from (Dell) Secureworks.
If you are the CIO or CISO, you should ask and answer these questions before your CEO reads this post.
1. Do we have the visibility to detect the threats most relevant to us, whether that be everyday malware, nation states, cyber criminals, insiders or hacktivists?
So many times were hear about attackers that have been inside a company’s systems for months or even years. We have to get that number down to days or even hours.
2. What do you assess our main cyber risks to be, how well protected against them are we and how are they changing? What gaps exist in current strategies and budgets?
The only way to deal with these threats is to put them out on the table. Once we know what we are dealing with we can begin to handle it. The CEO and Board need to be on the hook for this – if they don’t make this a priority and fund and staff it then the breach is on their hands.
3. Are we prepared with a plan to deal with a breach? Do we know when this gets triggered and where responsibilities lie? Has it been tested?
The company’s incident response program prevents an incident from becoming a crisis. No program, no training, no team – that makes it very unlikely to avoid a crisis.
4. Do you feel security training is tailored and delivered to ensure that each workforce segment is aware of threat actors and their CURRENT tactics?
We still hear companies say that they get people into a dark room once a year and watch them fall asleep over Powerpoints. Training has to be interactive, ongoing and engaging. Do something every month. Phish your employees every week. The old methodology doesn’t work any more.
Wherever you fit in the corporate or IT food chain, these are great questions be considering. While this is not a silver bullet, it will start some very useful conversations.
Information for this post came from Secureworks.