As a C-level executive, you understand the impact that a cyber attack can have on your business in terms of performance, productivity, morale and reputation — as well as the need for the right budget, technology and skills. But do you have confidence in your IT team’s ability to effectively protect your organisation? Are you asking your IT leaders the right questions when it comes to cyber security so that you can support them in driving the agenda? Ultimately, you’re accountable to your board and shareholders when it comes to keeping your organisation, data and IP protected.
We’ve put together these top 5 questions for you to ask your IT leaders so you can have confidence you’re protected or if not, take steps to address any gaps:
1. How do you know we’re protected?
No organisation or cyber security solution is completely bulletproof. The threat landscape is constantly evolving and, as a result, so too are your cyber security tools and solutions. These need to be constantly updated and patched to deal with new types of attacks. You need confidence your team is agile when reacting to alerts and notifications from your security vendors. How long does it take them to act once a patch becomes available?
And when it comes to the maintenance and management of your defence, how often are vulnerability tests undertaken? How would they know if they were being attacked?
Your role in championing good security practices and supporting your IT team is essential – because ultimately you’re accountable to your board and shareholders. So fostering a good relationship with IT, understanding their challenges (both in terms of cyber security itself and also in securing budget and skills) can make the difference between being breached and being protected.
2. How often do we train our staff?
Cyber security is everyone’s concern, especially given the fact that human error is responsible for the majority of cyber attacks, either through ignorance or by accident — up to 90% according to some research. Staff should know what the threats are, what they should look out for, like how to identify a phishing email, and what they absolutely shouldn’t do (click on a link or open an attachment in a strange email). This should take place on an ongoing basis and be a key part of onboarding new employees.
3. What is our incident response plan?
Having an incident response plan is not just part of a best practice approach but could be a legal requirement in some cases. Detecting an attack or breach is just the first stage in mitigating risk and putting remediation in place. Your team needs to know how to respond to an attack and follow up afterwards to make sure the lessons learnt have been applied. Penetration testing is your organisation’s highest value asset in developing and rehearsing a robust incident response. How often does this take place? Does each person know their role and responsibilities when it comes to responding to an attack? What would happen in the event a team member was off sick or out of the office – who would fulfil their duties? It isn’t a question of if an attack occurs, it is a question of when and having a plan and a contingency plan if a breach does occur is an essential part of a comprehensive cyber security strategy.
4. Do we have the right skills in-house?
The answer here is most likely no. There is an acknowledged skills gaps in the cyber security industry with far more jobs available than people to fill them. As a result, the professionals that are currently embedded in organisations are more difficult (and expensive) to retain because their skills are in such high demand. Succession planning and upskilling should be an essential part of your IT people’s ongoing training and development plans so you don’t lose a whole skillset when one person leaves. Investing in training and having people leave can seem detrimental but ask yourself which is worse – not developing them and having them stay? With good succession planning, you can mitigate any knowledge loss when a person leaves by ensuring they’re training and passing skills on to more junior members of the team who are ready to step up when they do leave. You can also consider outsourcing some skills to a security partner which can make things a lot easier.
5. How do you operate, maintain and tweak our cyber security solution?
In our experience from speaking to many IT people responsible for cyber security, the answer will invariably be that they don’t. They wait for alerts. This is often because there may be a whole suite of tools making up your security solution of more than 20 vendors. If you happen to work in a bank, this number could be up to 250 vendors. That’s between 20 and 250 different tools to know and to tweak and understand the knock-on effects any changes may cause to your other integrations. This number of tools can create just as many, if not more gaps in your solution because they are all working individually. If your team waits for alerts from each one, what about the threats that aren’t seen? How do they track the landscape? And keep up with the latest developments in the industry? Who on the IT team is responsible for that? Do they have the time to dedicate? This is where working with a managed security service provider can make all the difference.
When it comes to securing your organisation, collaboration is key. Whether that’s between you and your IT leaders, or IT and staff, or IT and your security provider, team work is important in being able to identify and deal with cyber threats. Working with the right cyber security partner can free up valuable resources within your IT department and ensure your defences have the best chance of keeping intruders out and confidential information in. Security providers also have both the resource and investment to dedicate to keeping on top of the latest trends and technologies in the industry, which is expertise they can pass on to you.
For more information and a longer read, download our Executive Report: Culture, engagement and cyber security — Insights for the C-level