Ten Essential Cyber Security Questions to Ask Your CISO

About Us

Visit our Webshop

IT Governance Blog

June 17, 2015 by Julia Dutton 6 Comments

The ever-present threat of cyber attacks,

highlighted by the host of massive data

breaches affecting most sectors and countries,

is forcing business of all sizes to take action.

Some reports tell us that cyber security is a

hot topic in the boardroom, while other reports

imply that the board isnt placing enough

emphasis on this thorny matter.

Nevertheless, cyber crime and its associated consequences are here to stay, and if the board

is not yet asking the tough questions, it is time that it did.

While some might argue that the board is ill-equipped to challenge the CISO about cyber

security risks and their counter measures, several organisations have already embarked on

director training in cyber security.

Although boards of directors and CEOs may not need to know why a certain type

of malware can penetrate a firewall, they will need to know what their organisation is doing

to address threats known to penetrate firewalls.

Discussions of cyber risk at board level should include identifying which risks to avoid,

accept, mitigate or transfer (through cyber insurance), as well as reviewing specific plans

associated with each approach.

Menu

Blog Home Business Continuity Cyber Security Data Protection

IT Best Practice IT Governance PCI DSS Other Blogs

Ten essential cyber security questions to ask your CISO http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...

1 of 9 7/6/2015 9:17 AM

The board must ensure that the CISO is reporting at the appropriate levels within the

organisation. Although many CISOs report to the CIO, it is important to be aware that there

may be conflicting agendas between the CIO and the CISO.

The Institute of Internal Auditors recommends asking the CISO the following questions:

Does the organisation comply with leading information security frameworks

or standards?

1.

Examples include the international information security management standard, ISO 27001,

the Payment Card Industry Data Security Standard (PCI DSS) and COBIT, as well as HIPAA

for organisations in the US healthcare industry.

What are the top risks the organisation faces?2.

Examples could include bring your own device, Cloud computing, internal threats (employee

errors or malicious acts) or supply chain risks.

Do we have an effective information security awareness programme?3.

Most companies realise the benefits of effective staff awareness training. Ensure that the

training provides sufficient awareness about the key threats and employee behaviours that

can result in a data breach. Staff should also be aware of the increasingly sophisticated

tactics used by phishing attacks.

Are we considering the internal threat?4.

A startlingly large number of breaches are caused by employee error (often conducted by

managers!) or malicious behaviour.

In the event of a data breach, what is our response plan?5.

Many cyber security experts now believe that it is no longer a matter of if but when you

will be breached. The critical difference between organisations that will survive a data breach

and those that wont is the implementation of a cyber resilience strategy, which takes into

account incident response planning and disaster recovery strategies to bounce back from a

cyber attack with minimal disruption to the business. The board should also be aware of the

laws governing its duties to disclose a data breach.

Other important questions include:


2 of 9 7/6/2015 9:17 AM

Are we conducting comprehensive and regular information security risk

assessments?

6.

The risk assessment should provide the board with an assurance that all relevant risks have

been taken into account, and that there is a commonly defined and understood means of

communicating and acting on the results of the risk assessment. Worryingly, 32% of

respondents to a recent PwC information security breaches survey (ISBS) had not

undertaken any form of risk assessment. Proven software tools can help speed up and

streamline the risk assessment process.

Are we adequately insured?7.

Recent reports reveal that cyber insurance is not adequate to protect companies from a

full-scale cyber attack. Although it is difficult to quantify how expensive a data breach can

be, information about other data breaches in your industry should provide an indication of

the potential damages your organisation might face. Latest statistics reveal that breaches

cost large organisations between 1.46m and 3.14m in 2014. Many organisations dont

realise that they are liable for a data breach even if the data is stored in the Cloud, or if a

third party with which they share information is breached.

Are we testing our systems before theres a problem?8.

There are many tests that can be undertaken to assess the vulnerability of systems,

networks and applications. An important element of any security regime should be regular

penetration tests. Pen tests are simulated attacks on a computer system with the intent of

finding security weaknesses that could be exploited. They help establish whether critical

processes such as patching and configuration management have been followed correctly.

Many companies fail to conduct regular penetration tests, falsely assuming the company is

safe, but new vulnerabilities and threats arise on a daily basis, requiring the company to

continually test its defences against emerging threats.

Have our internal cyber security controls been audited?9.

If the organisation has chosen to comply with an information security standard such as ISO

27001:2013, an independent review of an organisations information security controls can be

conducted by a certification body, and can be used to provide evidence of the organisations

commitment to information security. This can in turn be used as a competitive advantage

when bidding for new business, as indeed is the case with companies certified to ISO 27001.

Is our information security budget being spent appropriately?10.

26% of respondents to the PwC ISBS said they dont evaluate how effective their security


3 of 9 7/6/2015 9:17 AM

expenditure is.

The board can play a key role in preventing problems before they arise by playing a more

active role in cyber risk discussions. By becoming educated and informed, cyber risk in the

boardroom need not be a topic that gets discussed only when there is an incident. Dont risk

it, cyber secure it. Contact IT Governance for tailor-made boardroom cyber security training

on +44 845 070 1750.

469 Shares 27 123 2 317 0

Filed Under: Cyber Security, ISO 27001

Related


4 of 9 7/6/2015 9:17 AM

Lawrence Chard says

July 6, 2015 at 10:11 am

WTF is a CISO, or a CIO?

I wont even mention COBIT or HIPAA!

Reply

Satish says

July 6, 2015 at 9:57 am

As the topic mentions we are looking at the organization wide security measures by

the organization. Hence we have to see all internal as well as outside

threats.Internal threats from employee clicking a fishing link is also need to be seen

as a risk. I would like to add another aspect of supply chain risks wherein your

business is also vulnerable to the supplier risks also so same also need to assessed

and registered with your risk register.

Reply

nicoatridge says

June 22, 2015 at 9:21 am

I would add the question When did we last test our recovery procedures?. Clearly

this would include DR, but also recovering data from a backup source or manual

alternatives to automated procedures. Additionally some of the what if thinking

should be establishing how vulnerable fallback options themselves are to cyber

attacks. For example a malicious assault on your data may not be detected for

some time and backup data may have also been compromised.


5 of 9 7/6/2015 9:17 AM

Reply

Julia Dutton says

June 22, 2015 at 9:25 am

Hi Nico

Great point, thanks.

Reply

Julia Dutton says

June 22, 2015 at 8:53 am

Hi Dirk, thanks for your comment. From our perspective, and certainly the point of

view that is being taken by many other security firms, is that cyber security is an

element of a broader information security strategy, which encompasses people,

processes and technology. If you arent practising end-user education, how will you

ensure that your employees do not click on malicious links from phishing scams

that can damage your entire network? Cyber security may have originated from the

outside as you call it, but without a comprehensive approach, your best laid plans

will fall short of protecting your data.

Reply

Dirk Schadt says

June 22, 2015 at 7:48 am


6 of 9 7/6/2015 9:17 AM

Im missing your definition of cyber security and differentiation to information

security. In my definition first is a threat from outside, the CYBER, the other is

about securite from inside and outside.

Therefore things like security awareness or internal threats are not subject of cyber

security.

Otherwise cyber security is just a buzzword for bullshit bingo.

Reply


7 of 9 7/6/2015 9:17 AM

IT Governance is looking to publish

relevant, well-written, informative and

original articles. If you have an article

that meets these criteria, then please

send it in.

Agile Breaches and Hacks

Business Continuity

BYOD CASP CISA CISM CISSP Cloud

Computing COBIT CompTIA CREST

cyber attack Cyber essentials

Cyber Resilience Cyber

Security data breach Data

Protection Data Protection

Act GCHQ General data protection regulationHacking IBITGQ Information security

ISMS ISO9001 ISO20000

ISO 22301 ISO27001 ISO


8 of 9 7/6/2015 9:17 AM

27001 IT

Governance ITIL ITSM

PCI PCI compliance PCI DSS

penetration test Penetration Testing

phishing Project

Management QSA Risk

Management ROC Staff

Awareness Training

Archives

2003-2015 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification |

eCommerce by Xanthos

POPULAR LATEST

TODAY WEEK

MONTH ALL

6 truly shocking cyber security

statistics

More than 70% of cyber attacks

exploit patchable vulnerabilities

Ten essential cyber security

questions to ask your CISO

List of data breaches and cyber

attacks in June

Businesses dangerously slow to

react to vulnerabilities


9 of 9 7/6/2015 9:17 AM

Ten Essential Cyber Security Questions to Ask Your CISO

Documents

Transcript of Ten Essential Cyber Security Questions to Ask Your CISO