Security Questions Leadership Should Ask
November 12, 2020 by Becky Metivier
When it comes to managing cybersecurity risk and building cyber resilience, leaders in local governments and school districts must take ownership. In order to do this, they need to gain an understanding of the risks they are facing and stay informed about the evolving threat landscape. After all, they will be held responsible should an incident occur.
So as a leader in your community, agency, or school, what should you be asking of your information security team to gain this knowledge? Here’s a list of ten questions you need answered, and why, in order to take on your cybersecurity role and responsibilities.
#1. Do we fully understand cybersecurity threats and risks as they relate to our agency/organization/ institution and the public sector?
Cyberattacks are constantly evolving. Most experts agree this trend will continue with attacks getting more frequent and sophisticated all the time. It’s important you stay up to date on the current threat environment and attack vectors. You need to know whether you are being targeted, and how you would be impacted if an attack was successfully perpetrated.
#2. Do we base our cybersecurity program upon a widely accepted security framework?
When you’re writing your policies and developing your program, having a framework to base it on is very helpful. There’s no need to reinvent the wheel. There are a number of excellent frameworks out there, including the ISO/IEC 27000 family of standards for information security management, the NIST Framework for Improving Critical Infrastructure, the US Department of Defense’s Cybersecurity Maturity Model, and the COBIT Framework for IT Governance and Control.
Frameworks guide you to effectively implement the processes your organization needs to be engaged in. Then from your perspective, you can determine what the risks are and what level of control you need to exercise over your information, your infrastructure, your relationship with third parties, your training, etc. Frameworks help you take advantage of the masters of the industry. A tested framework relieves an organization of the worry associated with figuring out what to do, so it can spend its time thinking about exactly how to do it!
#3. Who on our leadership team has cybersecurity expertise?
More and more we’re seeing leadership teams with people who have either a technological or security background. This expertise can significantly elevate your team’s awareness. And more awareness can help you be better prepared to defend against cybercriminals.
#4. Have we aligned our organizational and cybersecurity strategies?
It’s important your organization has a “baked-in” cybersecurity strategy versus a “bolt-on” one. This means that security is part of the conversation from the very beginning when formulating your strategic initiatives. Unfortunately, most of the resistance to security comes from the perception that it’s a barrier to completing goals. Security is perceived as an imposition, a road block, a “no” that stops you from doing what you want to do and interrupts your day-to-day business. But this only happens because security functions are not integrated from the start, at the strategic and project levels. The later in a process security is considered, the more disruptive it can be.
#5. Are we appropriately allocating resources, roles, and responsibilities?
Many IT professionals have had to assume security responsibilities over time. So, they have an operational role, and then are required to take on a security role as well. It’s difficult to fulfill both responsibilities. As the need increases, security teams have to grow, and responsibilities need to be allocated so possible internal fraud proclivity is avoided. You need segregation of duties, independent review of activity around security functions, and dual controls when there’s a very sensitive function.
#6. What is our level of participation in information-sharing forums?
Where do you get your information about new and emerging threats? Are you getting the actionable intelligence, you need in order to avoid a compromise on any given day? Careful planning, alignment with the organization’s strategic objectives, and well-managed execution of the threat intelligence-sharing function will make any organization better able to predict and avoid danger, respond to emerging threats, and thereby, improve overall resilience.
#7. How do our threat intelligence activities inform our risk management decision-making?
If you’re acting and tracking your actions based on threat intelligence coming in, then it will inform your risk-management decision-making process. It will help you think about your strategic plans in terms of risk from a cybersecurity perspective, not just a financial one.
#8. How are we able to detect a cyberattack?
It’s important to keep in mind there isn’t one, single tool for this. And there’s no such thing as 100% protected. You need to determine which systems you are utilizing and how they integrate and interact with each other. Do they have the capability to aggregate data across systems to get a better understanding? Are you continually monitoring network traffic and endpoint activity to detect when an incident occurs?
Learn more about detecting threats with Cyber Threat Hunting.
#9. Are we prepared to respond to a cyberattack?
It’s important you have the expertise, skill set, and knowledge required to manage an incident end to end. There are cross-functional skills that are needed. Move away from incident response and into incident management. Preparation is imperative, which requires time, dollars, and people.
#10. How are we training/preparing our employees to play their cybersecurity role?
Everyone has a role to play in keeping the organization secure. Every employee needs to be aware of the risk picture, especially where technology is concerned. One of the best defenses you can build as a company is a workforce that understands the fundamentals of cybersecurity, so they can make everyday choices to promote it.
These questions can also serve as a guide to information security leaders when giving their presentations to leadership. If they’re not asking for this information, be sure you’re providing it to them. They’ll thank you for it.