15 Cybersecurity Questions Every C-Suite Needs to Ask

With the threat of cyber crime to businesses, it is clear there needs to be a shift in the conversation if any real improvements are to be made. But what happens if questions about cybersecurity are left unposed? The unspoken could have real consequences.

The messaging at conferences, magazines, trade journals, the evening news, and web-based news and information sources is consistent that organizations should be aware of their risks and taking action to protect their data, servers, and services from attack.  This leaves several questions. Many in a senior management role (C-Suite or even those serving on boards of directors) are not formally trained in technical information security and risk management and as a result knowing even what questions are important to ask is itself an unknown.

We are well-positioned to help business leaders answer these cybersecurity questions (and also help them with maturing their information security and risk management programs as a result of the answers to those questions).  We have a great deal of hard-won experience from our incident response and digital forensics work – we see firsthand who is attacking and compromising organizations as well as how.  We are then fortunate to be able to help those organizations create a plan to reduce the risk of it happening again.

Questions about your information security program or the threats you face

Why do I need to worry about information security?

The threats are real – and it’s not some shady character with a gray hooded sweatshirt looking at scrolling lines of green code. From a volume standpoint it’s largely automated and in general broadcast to large swaths of the Internet (although the most significant threats are targeted).  Cisco Talos has hard statistics on the fact that roughly 85% of all email traversing the Internet is spam – either marketing or malware.  The spam filters do a good job at catching and stopping that 85% but some are bound to go unnoticed and pass through to your users.

Any system or service exposed to the public Internet is threatened – every 39 seconds and attack hits an Internet-connected system on average according to the University of Maryland.  Again, many of these are unsuccessful, but it only takes one hitting an unpatched or particularly vulnerable system to cause trouble.

What are the biggest cybersecurity threats right now?

Without question, wire transfer fraud and ransomware headline the most critical threats facing organizations.

Wire transfer fraud occurs when a manual bank transfer occurs to transfer funds between entities.  Attackers compromise an organization’s email system and start looking for finance and payment-related employees. Our Incident Response team sees attackers lurk in the email for months waiting for a payment to compromise. Then the two entities exchange emails with payment info, they will insert a second email making it seem like there was a transcription error and to please use the new account number (or take the exchanged credentials and attack the bank account directly).  They then divert the transferred money out of the fake destination before anyone notices.  There are other flavors of this type of attack, but this example demonstrates the need for authenticated verification of wire transfers that use multiple mechanisms to prevent this type of theft.

Ransomware is a flavor or malicious software (malware) that encrypts data and critical system files, rendering computers and data unusable without decryption. Decryption is only possible with a key that is only provided if a ransom is paid to the attacker.  These ransoms are paid using cryptocurrencies like Bitcoin and range from hundreds to millions of dollars in value.  The attacks have gotten quite sophisticated in their methods for attacking and infecting organizations (while attacks against home users is down, targeted attacks against companies and municipalities is sharply increasing) have evolved to include sophisticated and difficult to discern emails (phishing) or using other malware to spread their ransomware payloads (the Emotet virus is currently the most common).

These ransomers have developed into sophisticated operations with help desks, 24×7 technical support, and trained negotiators.  They make every attempt to encrypt during off hours and target backup mechanisms to make recovery without paying the ransom very difficult – as a result many organization pay the ransom to recover their systems and data in days rather than weeks or months (or not at all).  Ransomware-infected companies have even had to go out of business because of the cost of recovery.

What are our compliance obligations?

While one can argue that the reasons of maintaining the confidentiality, integrity, and availability of data and services to their employees, partners, consumers, and customers is a sufficient reason to have a robust information security program, many organizations are not aware that they are legally required to have a robust program.  Sometimes the subtlety of whether or not you must comply with a particular compliance regime is difficult.  Getting expert help from a trusted advisor is recommended if there is any question.

For example – an organization provides a portal for consumers to find a healthcare provider and also has the ability to allow the consumer/potential patient to upload insurance and health-related information to aid the search and communicate with the potential provider.  They assumed that because they were handling healthcare-related data that they were required to comply with HIPAA.  It turns out that as a result of the American Recovery and Reinvestment Act of 2009 (ARRA 2009) there is distinction for health records collected and handled by non-HIPAA-covered entities.  In this case the data they were collecting was considered a “Personal Health Record” and not “Protected Health Information” and thus was covered by the Federal Trade Commission – which does not have the same compliance requirements for the use of this data but does have very strict breach notification rules.

To make it even more confusing, if this organization was a HIPAA-Covered Entity it would be considered to be PHI. This confusing narrative was provided to underscore the need to get good advice from a knowledgeable source to determine if you have compliance obligations.

Questions related to staffing

Do I have a designated and trained information security expert on staff or a third-party trusted information security and risk advisor?

A 2011 Symantec Threat Management Survey found that “most enterprises are not confident in their security posture and that staffing is a major issue limiting IT security’s effectiveness.” Specifically, 46 percent of those who lack confidence cited insufficient security staff, while 45 percent pointed to a lack of time to respond to new threats.

Worldwide, 43 percent reported understaffing as a major issue. While in North America, that number is 53 percent.  This is significant.  There is a lack of trained and experienced information security and risk management candidates. Some estimates say that unfilled cybersecurity jobs worldwide will reach 3.5 million by 2021.

As an employer of information security-related personnel, we have hired a core team of experts and have taken active steps to identify candidates and develop expertise from within. We also work with local technical schools and higher education institutions to foster new talent in the community.

Many organizations have a need for information security and risk management in their business but do not have enough work to justify the salary of a dedicated resource. In this case, they turn to a trusted advisor to help them develop a reasonable and appropriate information security program.

Does anyone on the board have Information Security and Risk Management expertise?

Many information sources have begun talking about the importance of information security and risk management oversight by the board of directors.  Computer and data systems were once a business enhancement – they have transitioned to business-critical tools (our ransomware experience has made this obvious).  As a result, boards must be aware of the confidentiality, integrity, and availability of their data and computing services and systems.  At a minimum there should be a formal mechanism (usually a formal committee) that includes experts in information technology, security, risk management, and business to digest the current threat and risk landscape and make recommendations to address these risks to the board.

Is our information technology department staffed appropriately? 

This seemingly simple question is very difficult to answer succinctly.  It very much depends on the answer to all the other questions presented in this list of questions…  The size, complexity, geography, business type, customer characteristics, specific technologies in use, compliance obligations, etc… all directly affect the answer.  To effectively answer the question requires a good understanding of the threat and risk landscapes that the organization operates within.  This is the true value of a robust risk-based cybersecurity program – it allows an organization to make staffing and business decisions that are reasonable and appropriate to address their needs and obligations.

Questions related to your existing information security program

Am I spending enough / appropriately on information security-related tools and controls? (Is there a tool I should buy?)

Similar to the staffing question, the answer here is nuanced.  It depends.  In our experience with helping organizations get their arms around their threats and risks and developing a reasonable and appropriately-scaled information security program, they have most (if not all) the licenses and tools they need to address their risks.  The difficulty is in their configuration and the ability of the information technology organization to get meaningful information from them.  Often the roadblock to an effective program is one of time and availability of IT staff.  It is not uncommon for IT staffing to be less than what is required given the size and complexity of the organization. In addition, automating tasks that cause IT staff to be diverted from projects due to an endless break/fix cycle can improve the chances of information security-related projects being successful.

Do I need cybersecurity insurance? Is our cybersecurity insurance policy appropriate to our risks?

The answer to both of these questions is easy: Yes. Your organization should have cyber insurance (for a variety of reasons).  According to CyberInsureOne, 27% of US Firms have no plans to purchase cybersecurity insurance, only 8% of manufacturing companies have it, and only 50% of healthcare-related organizations are cyber-insured.  This is despite the fact that the two greatest threats detailed above target these two verticals – wire fraud at manufacturing and ransomware in healthcare.

Currently, because the insurance companies want to sell the insurance to these threatened companies, the cost of cybersecurity insurance is very low.  Making sure that you have the RIGHT insurance with an appropriate level of coverage is a challenge. As a result, we work with several insurance brokers to identify the best practices for good cybersecurity insurance coverage.  Like many of the questions presented here, determining the correct level of coverage depends upon awareness of the threats and risks facing an organization. Ultimately, there are three things an organization can do with a risk – they can address it directly by making a change or implementing a tool, they can insure themselves to address the risk (in the insurance industry they refer to this as “transferring” the risk), or they can just decide to “assume” the risk and hope it doesn’t happen.

Are our information security and business priorities aligned?

The holy grail of information security is strong alignment with the business.  Everyone has access to the tools and data they need to do their work (but no more), the data and services are available when needed, and the data and analysis of that data is trustworthy and accurate.  Striking the balance between protection and convenience (and monetary cost, frankly) is the difficult part.

Is our written information security program (WISP) based upon an appropriate information security framework?

There is a wide variety of information security and information technology frameworks that provide guidance to appropriate controls to protect the confidentiality, integrity, and availability of data and services (some you might have heard of include NIST SP800-53, NIST Cyber Security Framework, ISO 27001, HITRUST, Cobit, ITIL, CIS Controls, and AICPA Trust Services Criteria).  Choosing the correct one depends on your compliance obligations, geography, business vertical, and organizational complexity.  It is possible to map one framework to another – and some of them have been designed for just that purpose.  HITRUST and the CIS controls are built with this in mind. HITRUST certification is an expensive, but effective way to demonstrate compliance – and anyone can download the actual controls for free. The CIS controls is a framework created by industry experts, maps well to other frameworks and is intended to be free for anyone to download and implement.

Do our documented policies match what is actually happening in practice?

Often an organization’s written policies and standards are very well written and line up with their compliance obligations.  An auditor comes in, reviews the documents, and gives the documents a passing grade…  Unfortunately, the things written in these documents do not line up with what is actually happening in the organization.  Our approach is to have lean, well-organized documentation that addresses the threats and risks facing an organization in clear and concise language.  The end result is that instead of having compliance without real information security, an organization is secure by design and compliant by default.

Do we know where our data is and how it is protected (data lifecycle management)?

Ultimately, an information security program is concerned with the confidentiality, integrity, and availability of the data and services that utilize, store, transmit, and process that data.  Knowing the nature of that data, how sensitive it is in terms of compliance obligations, where it lives, where it is transmitted, where it is used, who has access to it, and how long it should be kept is vital.  For many organizations that data is core to their business.  Just like an auto repair shop must keep track of and care for their tools, an organization must keep track of and care for their data and services.  Very often this starts with classifying the data and establishing rules for the various classifications.

Are our employees being appropriately trained on cybersecurity?

Information security awareness training is vital for organizations. The two primary threats detailed earlier primarily rely on mistakes by employees to be successful. Wire transfer fraud tricks employees into sharing or relying upon restricted or incorrect account information.  Ransomware most often is distributed by email-based attacks and require employees to open infected attachments or click on malicious links.  Even well-configured systems with robust monitoring mechanisms can let these emails and attacks slip by.  The final and most important line of defense against these attack vectors is the person sitting at their desk making a determination if what they are looking at is a real communication and not an attempted attack.  All organizations should be providing mandatory and engaging cybersecurity awareness training at the time of hire and at least every year to refresh the employees and keep security at the top of their minds.

Can we detect an attempted or successful cybersecurity incident/breach?

A mature information security program not only puts mechanisms and controls in place to prevent an incident or a breach but also includes mechanisms to monitor the operation of their networks, systems, services, and users to notice when something bad or unintended is happening.  The use of automated mechanisms to aid the perpetually overworked and understaffed IT team is essential, and appropriately tuned alerting is one of the primary goals of the information security program because any Internet-connected environment is under constant attack.  Detecting only those attacks with a chance of being successful is essential.

Do we know how to respond in an emergency?

Having a documented plan (that is updated as personnel and the environment changes) for how to respond to an incident or its big brother, a disaster, is only the first step.  Educating the people who must respond when an emergency occurs (and their backups in the event they are unavailable) is the next task.  Finally, and perhaps most important, is testing that plan regularly (and learning from and addressing the results of those tests).  Again – having something lean and useful is more important that reams of paper sitting on a shelf.

Check out some related content on our blog: