Creating a resilient cybersecurity culture begins with a cohesive, top-down position and approach. To help accomplish this, having regular and reciprocal conversations with your CISO is important to ensure that your company is maximizing its cybersecurity potential at all times. Here are 5 questions to ask your CISO today to increase transparency and communication within your organization:
1. What are the biggest cyber threats to our company right now?
An essential task for any CISO is to gather threat intelligence. Threat intelligence involves collecting information and data about the latest security threats or incidents and analyzing what the latest threats one’s organization are. This task is critical as it can be used to identify both strategic, long-term goals and urgent, operational needs for your company. Knowing the cyber risks your company faces helps can your cybersecurity strategy from reactive, to proactive.
2. What are our incident response and disaster recovery plans, and are we prepared to execute them?
Considering the odds, CISOs know that the question isn’t if, but when a cyberattack will occur. Therefore, having an efficient incident response plan in place is vital to ensure that the threat can be located and mitigated so that as little damage as possible is done in the event of a cyberattack. Additionally, a common mistake many security teams make is having an incident response plan, but not practicing it. Practicing your response strategy is essential because security breaches are usually unexpected, high-intensity situations – your team needs to be confident in their ability to execute the plan despite the stress.
3. Have we achieved sufficient, company-wide cyber awareness?
Your company’s employees, without basic cyber training, pose the greatest cyber threat to your organization’s security. This is because threat actors often gain access to systems through simple email schemes. In turn, security awareness training should be mandatory for each and every employee, no matter their position. That said, training should be continuous, as the threat landscape is constantly changing and good cyber hygiene needs to be incorporated into every-day best practice.
4. Are we investing adequately in our cybersecurity? Are there any investments we should consider making?
New cyber technologies are always emerging, but not every technology is necessary for your organization. Furthermore, considering new technologies or systems are expensive and time-consuming to implement, your CISO should conduct a risk-based assessment of your current cybersecurity program to determine where the most pressing issues lie. Then, according to budget, informed and strategic investment decisions can be made together.
5. Are we holding all our third-party vendors accountable to appropriate security controls?
Third-party vendors are prone to introducing vulnerabilities to your security system, and they must be held to the same security standards to which you hold yourselves. Not only should third-party vendors be contractually obligated to certain security requirements, but they must also be continuously monitored. Furthermore, new compliance legislation assigns organization’s responsibility for the security of their third-party vendors, and thus their accountability is both a technical and legal concern.
Dialogue and consistent communication is important between the cyber and non-cyber sides of any organization, for cybersecurity has implications that concern all divisions. For more helpful cybersecurity tips, news, and information, sign up for our monthly newsletter.