Questions You Should be Asking Your CISO About Your Cybersecurity Plan
Gone are the days when CEOs ask if they will experience an attempted breach. Now CEOs and the C-Suite know that cyber breaches are a significant threat and that waiting for an event to occur before developing a plan is poor practice. Having an effective plan can prevent data loss, minimize damage to the brand reputation, and prevent financial losses due to downtime or fines.
It Is More Than Just Checking Off Boxes
The need for an incident response plan is well supported, however, the incident response plan is not about checking off a box that says “We have a plan in place”. If you are a member of the C-Suite you have likely already been asking yourself are we prepared for an event? Of course, if you are a CISO or CIO you likely already know the answer. However, leaving the responsibility of being able to assess the effectiveness and preparedness of the company in the hands of one person can be problematic. Other C-Suite members should remember that they have a vital role to play regarding information security and cybersecurity. The role will need to increase as technology accelerates. Consider when was the last time that you reviewed the incident response plan? How much time has been devoted to analyzing cybersecurity, information security and their potential impacts on the company? The past two years have seen significant changes in digital transformation and cybersecurity. If time has not been dedicated to this within the past two years, now is a great time to do so.
Of course, deciding to review the IT security measures and evaluate effectiveness is the easy part. Knowing the questions to ask the team is another. Below you will find a list of our top 5 questions that you should be asking your CISO.
1. What is our biggest cyber risk right now?
You need to know your enemy before you can create a plan to combat them. Knowing what the biggest risk is today will allow you to strategize or assess the strategy you are currently using to determine effectiveness.
2. How are we dealing with third party vendors?
There are three key components to this question that need to be addressed.
First, how are the third-party suppliers or vendors vetted? Are they required to have cybersecurity policies that align with your company? For example, requirements such as annual or quarterly cybersecurity training for all staff. Are they asked to meet specific information security standards such as being IS0 27001 certified?
The second important concern surrounds access. Is the concept of least privilege being applied to third parties? Are they only allowed access to what is absolutely required?
Finally, what is being done regarding the inventory of third-party access and devices? Where can this inventory be found?
3. How much time is devoted to the incident response plan? When was the plan last reviewed?
Incident response plans require testing so that the team can practice and also that there can be regular improvements made. Teams need to review challenges found in the last test and update strategies and the plan to overcome these challenges.
4. Are legal and communications included in our incident response plan?
The areas of legal and communications are key when an incident occurs. Do these teams participate in the testing scenarios? If not, when was the last time that the plan was actively reviewed with these team members?
5. How would you rate the company culture as it relates to cybersecurity?
Human error is one of the largest cybersecurity concerns, gauging the temperature of cybersecurity awareness for all employees is key to any cyber plan. Does the team require cybersecurity training? Are there members of the IT department that are looking to upskill and take additional IT training courses that will benefit the security team’s ability to address long-term information security plans?
Looking to find more information on questions to ask your security team? Check out our blog Questions CEOs and CFOs Should Ask Their Cybersecurity Teams