CEOs have been on the hot seat lately. If you are a CEO, you are being held accountable for the security of your organizational and customer’ data. Recently, in testimony the former CEO of Yahoo said under oath:
“Yahoo still doesn’t know exactly how hackers breached all of its users.”
This is Yahoo. An internet services company that has been around since 1994. They pioneered a ton of services. They were one of the first “cool” internet companies. They had also been previously breached. Neither Equifax nor Yahoo’s former CEOs could say how much better their security had got as a result of the latest breach. I am hoping that by providing some education for CEOs and board members, we can begin to bridge this knowledge-gap and ensure infosec programs are adequately funded and prepared to prevent, detect, and respond to any breach.
When I think of what the CEO or board’s role in information security, I think back to my days in the Marine Corps. There is a concept called “Commander’s Intent.” Commander’s Intent succinctly describes what constitutes success for an operation. It includes the purpose and conditions that describe the end state. It links the mission, concept of operations and tasking to subordinate units.
For business leaders, they should not be concerned with the tasking itself but the metrics involved which denote success.
Commander’s Intent came as a result of learning on the battlefield. If I tell another Marine exactly how to take an airfield and the situation changes (which it often does) it forces that function to come back to me for new orders every time the situation changed. Think of how that would ultimately work out (hint: it wouldn’t). If, however, I explain why the airfield is important to the overall strategy, then they are free to act on new information and a changing battlefield to meet the original intent. As a CEO, setting your intent is crucial to achieving a successful security strategy.
For CEOs and board members, you need to have an understanding of the overall security program, how it is structured, and who’s responsible to determine if risk is managed appropriately and where to invest dollars. You also need to set the culture and intent for security. You should look to say it in front of your organization. You set the overall tone.
I wanted to put together a list of the questions CEOs should know the answer to and your team should be able to provide on a regular recurring basis. You need to make security part of your regular conversation. The following questions should help you stay informed, up to date and ready for any security issue.
- How are we managing risk? What’s the structure of the team?
- What percentage of the budget is security? Are we funded and staffed correctly? What’s the budget growth or decrease year over year?
- What are the top five risks? Have they moved up or down?
- Do we have a training and awareness program in place?
- Do we have a plan for incidents/data loss? Has it been tested?
- What percentage of critical data is known and encrypted?
- Are we compliant? (if applicable)
- Do we have an ongoing continuous assessment and improvement plan?
- How does our posture compare to like organizations in the same vertical?
- What do I need to know today that I don’t already?
In follow up blogs to this, we’ll discuss each question in a bit more detail. For now, though, take a cursory look at the list above and start building these questions into your regular conversations.