A CEO's Guide to Addressing Cybersecurity Concerns
Cybersecurity Questions that All CEOs Need to Ask
The best business decisions are often made based on senior leadership’s confidence in facts, figures and calculations made by appropriate parties within the organization. Relying on gut instinct—or worse, potentially false or incomplete information—is a dangerous road to travel, especially in cybersecurity.
While a gut instinct may work in marketing, sales, or other facet of the business, the planning, implementation, and verification of security operations require facts to be complete and accurate. You need to have all the answers to every possible question at any time.
CompTIA’s Cybersecurity Advisory Council has developed a series of questions to ask within your organization to ensure that you have a complete security picture in order to make the best decisions for the company.
Note: It’s important that the person or people answering these questions recognize that they are obligated to share any and all pertinent information relevant to the larger decisions being made, whether a direct request was made or not.
For each of the questions below, keep in mind that responses should also address the following questions/criteria as a baseline:
Are you sure?
Cybersecurity expectations should be measured against the reality of implementation of processes, procedures, education, and verification. False assumptions or beliefs about security conditions are often found after a major security incident. These inaccurate understandings can lead to security gaps and unmitigated risks that are later found to be a potential or event predominant cause of a breach.
Why are you sure?
Refrain from making a business decision after being told that “all is good” without supporting evidence from responsible parties. Request or even require independent testing based on the outcome expected, then review those results to ensure a high level of compliance and confidence.