Questions for Executives

This business executive is focused on building his company. He spends his time focused on top-line growth and bottom-line profitability. He believes in hiring good people and giving them the authority they need to "make it happen".  When it comes to technology he relies heavily on his Chief Information Officer to ensure the company is building strong technology capabilities and managing its technology risks.

He receives regular updates from his IT Security team about cybersecurity threats and risks. They always paint a gloomy picture and want more money to invest in even more technology tools and people.

Is this your story?

Chief Executive Officers and other senior company executives must realize that they are an integral part of the enterprise security program.  They must be actively engaged in managing cybersecurity as a business risk.

Key questions for Executives:

  • Do you have the right organization and governance in place to effectively identify and manage cybersecurity risks?
  • Are the right people focused on managing cybersecurity, including ready access to outside experts and advisors?
  • How often are you receiving updates on your cybersecurity program?
  • Does the company have a well-structured and rehearsed security incident response process that includes senior management and the Board?
  • Are the investments you are making in cybersecurity appropriate for your company based on its risk profile?
  • Do you have a good understanding of your cybersecurity and IT risks and how each is being mitigated?
  • How frequently and comprehensively are you briefing the Board of Directors on cybersecurity and IT related risks?

The challenge for Executives is really understand and engage in the cybersecurity program. How do they know they have the right focus, strategy, people and investment in cybersecurity and IT risk management?  How well prepared is the CEO and other executives when (not if) something goes wrong?

Most Breaches are Preventable

In December 2018 the US House of Representatives Committee on Oversight and Government Reform issued a report on The Equifax Data Breach.

The report concluded:

"Equifax should have addresssed at least two points of failure to mitigate, or even prevent, this data breach. First, a lack of accountability and no clear lines of authority in Equifax's IT management structure...Second, Equifax's aggressive growth strategy and accumulation of data resulted in a complex IT environment...

On October 3, Richard Smith testified before Congress blaming human error and a failure to communicate the need to apply a patch as a underlying reasons for the breach.

Equifax failed to fully appreciate and mitigate its cybersceurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented"

On March 26, 2014 the US Senate Committee on Commerce, Science, and Transportation released a report "A “Kill Chain”Analysis of the 2013
Target Data Breach". In that report, the committee concluded:

"This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach. Key
points at which Target apparently failed to detect and stop the attack include, but are not limited to...

  • Target gave network access to a third-party vendor...which did not appear to follow broadly accepted information security practices...
  • Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software...
  • Target failed to properly isolate its most sensitive network assets...
  • Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network".

How Cybersecurity4Executives Can Help

Cybersecurity Strategy Assessment

Provides Executives with an independent assessment of the company’s cybersecurity strategy and the investments made to protect the company from cybersecurity risks. Understand where improvements are needed in people, process and/or technology. A short time-boxed assessment designed to deliver high value insights to the management team.

Cybersecurity Executive Awareness Training

In-person or virtual cybersecurity awareness training for Executives focused on how to protect the company from cybersecurity risks. Includes guidance on key considerations for the Executive team, how to evaluate the organization’s security program, and how to prepare for a security incident.

Cybersecurity Breach Simulation

An interactive session with key management to rehearse and practice the real-time decision-making needed in a breach incident. Adapted to follow the company’s specific incident response plans. Executives will gain a better understanding of their roles and responsibilities in responding to a cybersecurity breach.

Cybersecurity Mentoring

Ongoing support and mentoring to key Executives (CEO, CIO, CISO) to help them identify, understand and improve the company’s cybersecurity program. Helps Executives keep up-to-date with key cybersecurity issues and trends and be able to make appropriate management decisions.