Properly managing cybersecurity risks demands that corporate leadership understands the full potential impact on your business—including reputational and legal risks. This starts with a dialogue about the security risks at your organization—how serious they are, how critical prevention and risk mitigation are, and how sophisticated attackers have become at stealing user credentials and breaching supposedly protected systems.
Yet, informal conversations are not enough. You’ll want to take this dialogue to the next level by getting everyone on your team and in the C-suite aligned on your company’s security position, risks and vulnerabilities, and action plan to address immediate and long-term concerns.
Facilitating an executive-level security discussion
An off-site security workshop is a great way to facilitate an in-depth discussion in which you’ll review your organization’s security posture, desired end-state, and priorities and document them in an actionable roadmap to tighter security in the future. Include your CEO, CIO, CISO, and any other members of corporate leadership who have a stake in the matter, as well as security SMEs and cybersecurity management.
To have a productive discussion, request that your security team prepares by evaluating your organization’s corporate cybersecurity position from their particular vantage points, looking for strengths, weak points, unmet needs, and gaps in knowledge. As for preparing yourself, be ready to discuss your company’s security position from a business perspective, rather than purely a technical one.
Shaping your organization’s security future
Leadership must understand the full picture of cybersecurity risks to your business—and that’s what you need to convey. Be ready to lead a conversation about the cybersecurity risks facing your organization, the company’s plan to manage these risks, and the response plan, should an incident happen.
This will no doubt be a challenging discussion as you, your CEO, CIO, CISO, and other executives work to reconcile the priorities of your various roles with the unmet security needs of your company. To help you jump start a discussion, you can provide attendees with questions in advance and have them prepare answers to the ones that apply to their positions. Not only does this act as a guide to the conversation, but it gets everyone on the same page regarding your organization's security position and areas that need increased focus and security. We’ve found this Information Security handbook to be a great resource for questions to ask attendees, but as a starter, here are three questions you should ask:
How vulnerable is our company?
This question will require some preparation before your C-suite can answer it accurately—without you taking the time to explore your company’s security strategy, you may not be able to come with a strong answer. Ask yourself: Are thorough vulnerability assessments and penetration testing a part of your current security plan? If so, what were the results? Should detecting and categorizing risks and threats be a larger investment?
How many cyber incidents do we experience in a normal week?
Managing executive leadership’s understanding of your security situation can be difficult, but one way to make the situation crystal clear is to look at the hard numbers. In addition to discussing the number of incidents detected (and how they were detected), consider whether holes in your detection systems might be allowing other attacks to go unnoticed.
Are our employees putting us at risk?
As we’ve covered in previous posts, people are the biggest vulnerability in any organization. Both active malice and passive carelessness—poor password practices, for example, or inability to identify potential phishing scams—can lead to major breaches. Do you know who has access to what? What are your protocols for deprovisioning network and system access when employees are terminated?
Whether off site or on, the security intervention you conduct with your CEO, CIO, and CISO should enable you, as a team, to come to grips with your organization’s security needs and to develop a clear roadmap for handling those needs in the immediate and more distant future. With that roadmap in hand, you’ll find it much easier to begin making significant changes to your security stack.