Author: Rick McElroy, Security Strategist, Carbon Black
CEOs have been in the hot seat lately. If you are a CEO, you are being held accountable for the security of your organizational and customer data. Last year, the former CEO of Yahoo said in testimony under oath:
“Yahoo still doesn’t know exactly how hackers breached all of its users.”
This is Yahoo. An internet services company that has been around since 1994. They pioneered a ton of services. They were one of the first “cool” internet companies. They had also been previously breached. Neither Equifax nor Yahoo’s former CEOs could say how much their security improved following the latest breaches. I am hoping that by providing some education for CEOs and board members, we can begin to bridge this knowledge-gap and ensure infosec programs are adequately funded and prepared to prevent, detect, and respond to any breach.
When I think of the CEO or board’s role in information security, I think back to my days in the Marine Corps. There is a concept called “Commander’s Intent” which succinctly describes what constitutes success in an operation. This includes the purpose and conditions that describe the end state, linking the mission, concept of operations and tasking to subordinate units.
Business leaders should be more concerned with the metrics involved instead of focusing on the tasks itself.
Commander’s Intent is the result of lessons on the battlefield. If I tell another Marine exactly how to take an airfield and the situation changes (which it often does) it forces that function to come back to me for new orders each time the situation changes. Think of how that would ultimately work out (hint: it wouldn’t). If, however, I explain why the airfield is important to the overall strategy, then they are free to act on new information and a changing battlefield to meet the original intent. As a CEO, setting your intent is crucial to achieving a successful security strategy.
CEOs and board members need to have an understanding of the overall security program, how it is structured, who’s responsible to determine if risk is managed appropriately, as well as where to invest the dollars. You also need to set the culture and intent for security, and make it clear across the entire organization. You set the overall tone.
I wanted to put together a list of questions CEOs should know the answers to – answers which your team should be able to provide on a regular basis. You need to make security part of your everyday conversation. The following questions should help you stay informed, up to date and ready for any security issue.
How are we managing risk? What’s the structure of the team?
What percentage of the budget is security? Are we funded and staffed correctly?
What’s the budget growth or decrease year over year?
What are the top five risks? Have they moved up or down?
Do we have a training and awareness program in place?
Do we have a plan for incidents/data loss? Has it been tested?
What percentage of critical data is known and encrypted?
Are we compliant? (if applicable)
Do we have an ongoing continuous assessment and improvement plan?
How does our posture compare to similar organizations in the same vertical?
What do I need to know today that I don’t already?
In follow-up blogs to this, we’ll discuss each question in further detail. For now, though, take a cursory look at the list above and start building these questions into your regular conversations.