CEOs have been on the hot seat lately, as they are held accountable for the security of their organisational and customer data.
Recently, in testimony the former CEO of Yahoo said under oath: "Yahoo still doesn't know exactly how hackers breached all of its users."
This from an internet services company that has been around since 1994. They pioneered a ton of services. They were one of the first 'cool' internet companies. They had also been previously breached.
Neither Equifax nor Yahoo's former CEOs could say how much better their security had become as a result of the latest breach. Hopefully by providing education for CEOs and board members, we can begin to bridge this knowledge gap and ensure that infosec programs are adequately funded and prepared to prevent, detect and respond to any breach.
In considering what the CEO's or board's role in information security comprises, I think back to my days in the Marine Corps. There is a concept called 'Commander's Intent.' This succinctly describes what constitutes success for an operation. It includes the purpose and conditions that describe the end state. It links the mission, concept of operations and tasking to subordinate units.
Business leaders should not be concerned with the tasking itself, but with the metrics involved which denote success. Commander's Intent resulted from learning on the battlefield. If I tell another Marine exactly how to take an airfield and the situation changes (which it often does) it forces that function to come back to me for new orders every time the situation changed.
Think of how that would ultimately work out (hint: it wouldn't). If, however, I explain why the airfield is important to the overall strategy, then they are free to act on new information and a changing battlefield to meet the original intent. For a CEO, setting his/her intent is crucial to achieving a successful security strategy.
CEOs and board members need to have an understanding of the overall security program, how it is structured and who is responsible for determining if risk is managed appropriately and where to invest dollars. They also need to set the culture and intent for security. The CEO should look to say it in front of your organisation, and set the overall tone.
It is critically important for CEOs to know the answers to the 10 questions below, and ensure that their teams should be able to provide solutions on a regular recurring basis. CEOs need to make security part of their regular conversation. The following questions should help them stay informed, up to date and ready for any security issue.
- How are we managing risk? What's the structure of the team?
- What percentage of the budget is security? Are we funded and staffed correctly? What's the budget growth or decrease year-over-year?
- What are the top five risks? Have they moved up or down?
- Do we have a training and awareness program in place?
- Do we have a plan for incidents/data loss? Has it been tested?
- What percentage of critical data is known and encrypted?
- Are we compliant? (if applicable).
- Do we have an ongoing continuous assessment and improvement plan?
- How does our posture compare to like organisations in the same vertical?
- What do I need to know today that I don't already?
Later, I will discuss each question in more detail. Meanwhile, CEOs should take a cursory look at the list above and start building these questions into their regular conversations.