Six Questions a CEO Should Ask About Cybersecurity

Chris Reffkin
| 12/17/2015
RISK-16005-015 Cybersecurity Blog 7A

Most CEOs are not cybersecurity experts. However, they are good at asking the right questions to assess risk to their organizations. This post outlines the data points a CEO needs to gather in order to assess that risk from a cybersecurity perspective.

More often than not, organizations structure their cybersecurity posture in three tiers. The lower tier comprises the network administrators and security engineers – the smart people hired to get things done. The middle tier, management, more often than not oversees budgets and project management and has a narrow focus on its realm of responsibility versus the good of the whole organization.

The middle tier may act as a filter between the lower tier and the top tier – leadership. Rather than receiving information directly from the engineers, leadership receives it from management, whose narrow focus can act as a filter that may inadvertently give a positive spin to any negative outlook on security, thus giving leadership a false sense of protection.

How can leadership cut through the bureaucracy to get accurate information?

Following are six questions CEOs should ask to better understand their organization’s cybersecurity risk:

  1. Does our organization have a formal cybersecurity program in place, and is it up to date?
  2. Does our organization have a designated cybersecurity leader? If so, how do we support the person in that role with the appropriate authority and resources?
  3. Does our cybersecurity team understand precisely what it is tasked with protecting?
  4. Do we employ procedures designed specifically for detecting and containing cyberattacks?
  5. Do we have a plan for responding to cybersecurity incidents?
  6. Do we use testing, assessments, and continuous improvement as core elements of our cybersecurity plan?

The answers to each of these questions may encompass vast amounts of detail. The CEO should have the detailed responses analyzed by the management team so that the team can provide, in business and financial terms, the CEO with a clear understanding of the risk. Further, because CEOs are not typically IT or cybersecurity experts, they should expect management to communicate its analysis clearly and concisely without jargon.

By incorporating these questions into the organization’s business practices and strategy – as cybersecurity strategy needs to align with business strategy – a CEO will be better able to elicit sufficient information and avoid the challenges of the middle tier’s information filter.