As part of our “C-Suite Accountability” theme, we explore why holding senior executives accountable is a necessary motivator in the prioritization, development, and adoption of cybersecurity initiatives across the small to medium-sized organization. In this post, Adam Mansour provides the best and worst questions to help leadership understand their cybersecurity prevention posture, to enable informed decisions about mitigating the risks of cyberattack. They are not technical questions, so there is no excuse not to ask them.
Let’s start with the worst questions to ask. Good intentions aside, these questions don’t generate an answer that is usable, or indicative of the true state of your security. The answers tend to take the conversation in a direction that is only relevant to a specific type of attack, a particular kind of prevention technology, or something that is too philosophical to address the real issues. In my capacity as a Virtual CISO advising businesses on their security posture, I offer leaders better questions that should yield an answer that they can understand, and that is truly representative of the state of their security.
What is our breach/incident response plan?
This question just re-affirms a false sense of security. A leader who asks this, walks away thinking “Well, good – at least we have a plan…” when in fact, chances are that your organization lacks the ability to detect that you are breached, let alone implement a plan to do something about it. It doesn’t address whether you can execute the plan, whether it has been practiced, or whether it will be effective. Despite leaders’ inclination for strategy and planning, to prevent breaches, you need practices and processes; not a plan on paper.
A better question: Can we be breached? Would you know if we were?
This question gets you right to the crux of the issue – are we susceptible to the problem? Can we identify it? It avoids technobabble because it refers to the outcomes driven, rather than the solutions themselves. This gives leaders a clear indication of whether their team can identify this risk to their business, and whether there is a gap to be addressed.
What are we doing about Data Loss (or some other cybersecurity problem)?
This question typically isn’t well-suited to the person answering it. If you ask a technical person on your IT team, you should expect a technical answer – probably something about backup configurations. When, really, what you want is the liability answer. That technical person you asked doesn’t see the business problem – they oversimplify to a domain they know: specs/features of the particular DLP solution you’re using (or that they think you should buy). Would you really expect the technical person to say: “Here’s our due process for determining whether we’ve lost data, and how…” or “Let’s get cyber-insurance to mitigate the risk of financial loss as a result of a breach…” or “Let’s keep everything encrypted so that if we do lose data, we’re not liable…” Yes, I’m generalizing, but you get the idea – asking a technical person a question about a particular type of attack or cybersecurity risk is not going to yield an answer that tells leaders whether/how/how well their business is protected overall.
A better question: What attacks are we still vulnerable to?
By focussing on the types of attacks we are vulnerable to, this question evokes the understanding (in both parties) that you are vulnerable and that you need to remediate those vulnerabilities. The alternative, of “What solutions are we missing?” is a never-ending cycle of hyperbole – where solutions are extremely siloed, contributing to a lengthy, complex and expensive process of building a Security Operations Center (SOC). Recognize the illusion of “Just buy a solution” or “set it and forget it” - because, without qualified people and rigorous processes to manage such “solutions,” they don’t improve your security.
Are we training our staff?
Leaders hear things like how “End-users are the weakest link in Cybersecurity” or “Small businesses are being targeted by spear phishing,” and want to understand are staff equipped to defend themselves. Makes sense, right? Unfortunately, the sophistication of your users is not a good way to assess the overall security posture of your business. Knowing whether you’ve got training doesn’t go deep into how you’re protected; it’s entirely superficial. Even asking how users performed on the test doesn’t cut it – it doesn’t cover the risks you’re facing in terms of availability, or operational downtime (the things that cost you revenue). All it can tell you is whether your users can pass a simple test, that usually pales in comparison to a real phishing attempt.
A better question: If our staff clicked through on a ransomware infection, how would we react? What would the consequences be?
Let’s face it – your users will click on things they shouldn’t. Training is good and can reduce the chance of users falling victim, but to place the entire onus upon the user to prevent attacks is misguided. Even with the chances reduced, there is always the possibility that the best-executed spoofs make it through – which is why understanding how you are protected when that happens, is integral.
How much should we be spending on cybersecurity?
It’s amazing how your IT team knows exactly when to stop buying laptops – yet, for cybersecurity nobody seems to know when. The problem is that you’re measuring the wrong thing – you keep asking about spend, keep buying products when you should be measuring and solving problems. Leaders need to ask questions that require a different way of thinking, because IT wants to buy software to solve the problem, rather than doing the hard work of understanding the risks to the business, generating processes to mitigate those risks effectively, and systematizing, documenting, and regularly evaluating the efficacy of what they are doing… in other words: continually evolving – just like cybersecurity threats.
A better question: Given these risks, what is the most affordable way to solve the problem?
This is how you should actually determine your cybersecurity budget – by drawing on the previous ‘good’ question (of what we’re still vulnerable to), and a presumed understanding of how to mitigate those risk, what is the cheapest way to achieve the outcome. This line of thinking (and downstream action) can be supported by penetration testing efforts, to ensure you are in fact mitigating the risk. Then, like other investments, your budget is dictated the balance of your risk tolerance, with what you can afford.
Did I mention that our Managed Detection and Response service is a comprehensive cybersecurity option that is affordable for the SMB? You can also connect with one of our experts to assess your security prevention posture, if you aren’t getting satisfactory answers to the questions above.
