Ten Essential Cyber Security Questions To Ask Your CISO

Ten essential cyber security questions to ask your CISO
1 of 9
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
About Us
Visit our Webshop
IT Governance Blog
Menu
Blog Home
Business Continuity
IT Best Practice
IT Governance
Cyber Security
PCI DSS
Data Protection
Other Blogs
June 17, 2015 by Julia Dutton 6 Comments

The ever-present threat of cyber attacks,
highlighted by the host of massive data
breaches affecting most sectors and countries,
is forcing business of all sizes to take action.
Some reports tell us that cyber security is a

hot topic in the boardroom, while other reports
imply that the board isnt placing enough
emphasis on this thorny matter.
Nevertheless, cyber crime and its associated consequences are here to stay, and if the board
is not yet asking the tough questions, it is time that it did.
While some might argue that the board is ill-equipped to challenge the CISO about cyber
security risks and their counter measures, several organisations have already embarked on
director training in cyber security.
Although boards of directors and CEOs may not need to know why a certain type
of malware can penetrate a firewall, they will need to know what their organisation is doing
to address threats known to penetrate firewalls.
Discussions of cyber risk at board level should include identifying which risks to avoid,
accept, mitigate or transfer (through cyber insurance), as well as reviewing specific plans
associated with each approach.
7/6/2015 9:17 AM
2 of 9
The board must ensure that the CISO is reporting at the appropriate levels within the
organisation. Although many CISOs report to the CIO, it is important to be aware that there
may be conflicting agendas between the CIO and the CISO.
The Institute of Internal Auditors recommends asking the CISO the following questions:
1. Does the organisation comply with leading information security frameworks

or standards?
Examples include the international information security management standard, ISO 27001,
the Payment Card Industry Data Security Standard (PCI DSS) and COBIT, as well as HIPAA
for organisations in the US healthcare industry.
2. What are the top risks the organisation faces?
Examples could include bring your own device, Cloud computing, internal threats (employee
errors or malicious acts) or supply chain risks.
3. Do we have an effective information security awareness programme?
Most companies realise the benefits of effective staff awareness training. Ensure that the
training provides sufficient awareness about the key threats and employee behaviours that
can result in a data breach. Staff should also be aware of the increasingly sophisticated
tactics used by phishing attacks.
4. Are we considering the internal threat?
A startlingly large number of breaches are caused by employee error (often conducted by
managers!) or malicious behaviour.
5. In the event of a data breach, what is our response plan?
Many cyber security experts now believe that it is no longer a matter of if but when you
will be breached. The critical difference between organisations that will survive a data breach
and those that wont is the implementation of a cyber resilience strategy, which takes into
account incident response planning and disaster recovery strategies to bounce back from a
cyber attack with minimal disruption to the business. The board should also be aware of the
laws governing its duties to disclose a data breach.
Other important questions include:
7/6/2015 9:17 AM
3 of 9
6. Are we conducting comprehensive and regular information security risk

assessments?
The risk assessment should provide the board with an assurance that all relevant risks have
been taken into account, and that there is a commonly defined and understood means of
communicating and acting on the results of the risk assessment. Worryingly, 32% of
respondents to a recent PwC information security breaches survey (ISBS) had not
undertaken any form of risk assessment. Proven software tools can help speed up and
streamline the risk assessment process.
7. Are we adequately insured?
Recent reports reveal that cyber insurance is not adequate to protect companies from a
full-scale cyber attack. Although it is difficult to quantify how expensive a data breach can
be, information about other data breaches in your industry should provide an indication of
the potential damages your organisation might face. Latest statistics reveal that breaches
cost large organisations between 1.46m and 3.14m in 2014. Many organisations dont
realise that they are liable for a data breach even if the data is stored in the Cloud, or if a
third party with which they share information is breached.
8. Are we testing our systems before theres a problem?
There are many tests that can be undertaken to assess the vulnerability of systems,
networks and applications. An important element of any security regime should be regular
penetration tests. Pen tests are simulated attacks on a computer system with the intent of
finding security weaknesses that could be exploited. They help establish whether critical
processes such as patching and configuration management have been followed correctly.
Many companies fail to conduct regular penetration tests, falsely assuming the company is
safe, but new vulnerabilities and threats arise on a daily basis, requiring the company to
continually test its defences against emerging threats.
9. Have our internal cyber security controls been audited?
If the organisation has chosen to comply with an information security standard such as ISO
27001:2013, an independent review of an organisations information security controls can be
conducted by a certification body, and can be used to provide evidence of the organisations
commitment to information security. This can in turn be used as a competitive advantage
when bidding for new business, as indeed is the case with companies certified to ISO 27001.
10. Is our information security budget being spent appropriately?
26% of respondents to the PwC ISBS said they dont evaluate how effective their security
7/6/2015 9:17 AM
4 of 9
expenditure is.
The board can play a key role in preventing problems before they arise by playing a more
active role in cyber risk discussions. By becoming educated and informed, cyber risk in the
boardroom need not be a topic that gets discussed only when there is an incident. Dont risk
it, cyber secure it. Contact IT Governance for tailor-made boardroom cyber security training
on +44 845 070 1750.
469
Shares
27
123
317
Related
Filed Under: Cyber Security, ISO 27001
7/6/2015 9:17 AM
5 of 9
Lawrence Chard says

July 6, 2015 at 10:11 am
WTF is a CISO, or a CIO?

I wont even mention COBIT or HIPAA!
Reply
Satish says
July 6, 2015 at 9:57 am
As the topic mentions we are looking at the organization wide security measures by
the organization. Hence we have to see all internal as well as outside
threats.Internal threats from employee clicking a fishing link is also need to be seen
as a risk. I would like to add another aspect of supply chain risks wherein your
business is also vulnerable to the supplier risks also so same also need to assessed
and registered with your risk register.
Reply
nicoatridge says
June 22, 2015 at 9:21 am
I would add the question When did we last test our recovery procedures?. Clearly
this would include DR, but also recovering data from a backup source or manual
alternatives to automated procedures. Additionally some of the what if thinking
should be establishing how vulnerable fallback options themselves are to cyber
attacks. For example a malicious assault on your data may not be detected for
some time and backup data may have also been compromised.
7/6/2015 9:17 AM
6 of 9
Reply
Julia Dutton says

June 22, 2015 at 9:25 am
Hi Nico
Great point, thanks.
Reply
Julia Dutton says

June 22, 2015 at 8:53 am
Hi Dirk, thanks for your comment. From our perspective, and certainly the point of
view that is being taken by many other security firms, is that cyber security is an
element of a broader information security strategy, which encompasses people,
processes and technology. If you arent practising end-user education, how will you
ensure that your employees do not click on malicious links from phishing scams
that can damage your entire network? Cyber security may have originated from the
outside as you call it, but without a comprehensive approach, your best laid plans
will fall short of protecting your data.
Reply
Dirk Schadt says

June 22, 2015 at 7:48 am
7/6/2015 9:17 AM
7 of 9
Im missing your definition of cyber security and differentiation to information

security. In my definition first is a threat from outside, the CYBER, the other is
about securite from inside and outside.
Therefore things like security awareness or internal threats are not subject of cyber
security.
Otherwise cyber security is just a buzzword for bullshit bingo.
Reply
7/6/2015 9:17 AM
8 of 9
IT Governance is looking to publish

relevant, well-written, informative and
original articles. If you have an article
that meets these criteria, then please
send it in.
Agile Breaches and Hacks
Business Continuity
BYOD
CASP CISA CISM
CISSP Cloud
Computing COBIT CompTIA CREST

cyber attack
Cyber essentials
Cyber Resilience
Cyber
Security data breach Data

Protection
Data Protection
Act GCHQ General data protection regulation

Hacking
IBITGQ Information security
ISMS ISO9001 ISO20000

ISO 22301 ISO27001 ISO
7/6/2015 9:17 AM
9 of 9
27001 IT
Governance ITIL ITSM
PCI PCI compliance
penetration test
phishing
PCI DSS
Penetration Testing
Project
Management QSA Risk

Management ROC Staff
Awareness Training
Archives
POPULAR
LATEST
TODAY
MONTH
WEEK
ALL
6 truly shocking cyber security

statistics
More than 70% of cyber attacks
exploit patchable vulnerabilities
Ten essential cyber security
questions to ask your CISO
List of data breaches and cyber
attacks in June
Businesses dangerously slow to
react to vulnerabilities
2003-2015 IT Governance Ltd | Acknowledgement of Copyrights | IT Governance Trademark Ownership Notification |

eCommerce by Xanthos
7/6/2015 9:17 AM

Ten Essential Cyber Security Questions To Ask Your CISO

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Ten Essential Cyber Security Questions To Ask Your CISO

Încărcat de

Drepturi de autor:

Formate disponibile

Ten essential cyber security questions to ask your CISO

June 17, 2015 by Julia Dutton 6 Comments

Some reports tell us that cyber security is a