Cybersecurity Risks: Critical Questions Every CEO Should Be Asking

Image of various technology devices that could pose cybersecurity risks.

As technology continues to evolve, cybersecurity risks and threats continue to grow in sophistication and complexity. These threats affect businesses of all sizes and require the attention and involvement of chief executive officers (CEOs) and other senior leaders.

To help companies understand their cybersecurity risks and prepare for cyber threats, CEOs should discuss key risk management topics with their leadership and implement cybersecurity best practices geared toward risk mitigation.

What should CEOs know about the cybersecurity threats their companies face?

CEOs should ask the following questions about potential cybersecurity threats:

  • How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
  • What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
  • How can my business create long-term resiliency to minimize our cybersecurity risks?
  • What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
  • What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?

Questions  CEOs Should Be Asking About Cybersecurity Risks

The following questions will help CEOs guide discussions about their cybersecurity risk with management:

  • What is the threshold for notifying executive leadership about cybersecurity threats?
  • Do we know what the current level of cybersecurity risk for our company is?
  • How do we determine the possible business impact to our company from our current level of cybersecurity risk?
  • Do we have a company-wide plan to address identified risks?
  • Is cybersecurity training available for our workforce?
  • What measures do we employ to mitigate insider threats?
  • How does our cybersecurity program apply industry standards and best practices?
  • Are our cybersecurity program metrics measureable and meaningful?
  • How comprehensive are our cybersecurity incident response plan and our business continuity and disaster recovery plan?
  • How often do we exercise our plans?
  • Do our plans incorporate the whole company or are they limited to information technology (IT)?
  • How prepared is my business to work with federal, state, and local government cyber incident responders and investigators, as well as contract responders and the vendor community?

What can CEOs Do To Reduce Cybersecurity Risks

The cybersecurity best practices listed below can help organizations manage cybersecurity risks.

  • Elevate cybersecurity risk management discussions to the company CEO and the leadership team.

    • CEO and senior company leadership engagement in defining an organization’s risk strategy and levels of acceptable risk is critical to a comprehensive cybersecurity risk plan.
      The company CEO—with assistance from the chief information security officer, chief information officer, and the entire leadership team—should ensure that they know how their divisions affect the company’s overall cyber risk.
      In addition, regular discussion with the company board of directors regarding these risk decisions ensures visibility to all company decision makers.
  • Implement industry standards and best practices rather than relying solely on compliance standards or certifications.

    • Lower cybersecurity risks by implementing industry benchmarks and best practices (e.g., follow best practices from organizations like the Center for Internet Security).
      Organizations should tailor best practices to ensure they are relevant for their specific use cases.
    • Follow consistent best practices to establish an organizational baseline of expected enterprise network behavior.
      This allows organizations to be proactive in combating cybersecurity threats, rather than expending resources to “put out fires.”
    • Compliance standards and regulations (e.g., the Federal Information Security Modernization Act) provide guidance on minimal requirements; however, there is more businesses can do to go beyond the requirements.
  • Evaluate and manage organization-specific cybersecurity risks.

    • Identify your organization’s critical assets and the associated impacts from cybersecurity threats to those assets to understand your organization’s specific risk exposure—whether financial, competitive, reputational, or regulatory.
      Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cybersecurity risks.
  • Ensure cybersecurity risk metrics are meaningful and measurable.

    • For example, the time it takes an organization to patch a critical vulnerability across the enterprise could be described as a useful metric.
      In this example, reducing the days it takes to patch a vulnerability directly reduces the risk to the organization.
    • On the other hand, a less useful metric could be reflected in the number of alerts a Security Operations Center (SOC) receives in a week.
      This is because there are too many variables in the number of alerts an SOC receives for this number to be consistently relevant.
  • Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.

    • It is critical that organizations test their incident response plans across the whole organization, not just in the IT environment. Each part of the organization should know how to respond to both basic and large-scale cybersecurity incidents.
      Testing incident response plans and procedures can help prevent an incident from escalating.
    • Incident response plans should provide instructions on when to elevate an incident to the next level of leadership.
      Regularly exercising incident response plans enables an organization to respond to incidents quickly and minimize impacts.
  • Retain a quality workforce.

    • Cybersecurity tools are only as good as the people reviewing the tools’ results. It is also important to have people who can identify the proper tools for your organization.
      It can take a significant amount of time to learn a complex organization’s enterprise network, making retaining skilled personnel just as important as acquiring them.
      There is no perfect answer to stopping all cybersecurity threats, but knowledgeable IT personnel are critical to reducing cybersecurity risks.
  • Maintain situational awareness of cybersecurity threats.

Refer to the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials page for recommendations on managing cybersecurity risks for small businesses.

Managing cybersecurity risks can be challenging, especially for small organizations and businesses.

If you need assistance in getting a handle on the cyber threats facing your business, or struggling with implementing recommended cyber security best practices, Tech Prognosis  can help.

Reach out by phone at (512) 814-8044, or by using our contact us form.

Note: This article was sourced from the Cybersecurity and Infrastructure Security Agency (CISA).