-
About Us
Visit our Webshop
IT Governance Blog
June 17, 2015 by Julia Dutton 6 Comments
The ever-present threat of cyber attacks,
highlighted by the host of massive data
breaches affecting most sectors and countries,
is forcing business of all sizes to take action.
Some reports tell us that cyber security is a
hot topic in the boardroom, while other reports
imply that the board isnt placing enough
emphasis on this thorny matter.
Nevertheless, cyber crime and its associated consequences are
here to stay, and if the board
is not yet asking the tough questions, it is time that it
did.
While some might argue that the board is ill-equipped to
challenge the CISO about cyber
security risks and their counter measures, several organisations
have already embarked on
director training in cyber security.
Although boards of directors and CEOs may not need to know why a
certain type
of malware can penetrate a firewall, they will need to know what
their organisation is doing
to address threats known to penetrate firewalls.
Discussions of cyber risk at board level should include
identifying which risks to avoid,
accept, mitigate or transfer (through cyber insurance), as well
as reviewing specific plans
associated with each approach.
Menu
Blog Home Business Continuity Cyber Security Data Protection
IT Best Practice IT Governance PCI DSS Other Blogs
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
1 of 9 7/6/2015 9:17 AM
-
The board must ensure that the CISO is reporting at the
appropriate levels within the
organisation. Although many CISOs report to the CIO, it is
important to be aware that there
may be conflicting agendas between the CIO and the CISO.
The Institute of Internal Auditors recommends asking the CISO
the following questions:
Does the organisation comply with leading information security
frameworks
or standards?
1.
Examples include the international information security
management standard, ISO 27001,
the Payment Card Industry Data Security Standard (PCI DSS) and
COBIT, as well as HIPAA
for organisations in the US healthcare industry.
What are the top risks the organisation faces?2.
Examples could include bring your own device, Cloud computing,
internal threats (employee
errors or malicious acts) or supply chain risks.
Do we have an effective information security awareness
programme?3.
Most companies realise the benefits of effective staff awareness
training. Ensure that the
training provides sufficient awareness about the key threats and
employee behaviours that
can result in a data breach. Staff should also be aware of the
increasingly sophisticated
tactics used by phishing attacks.
Are we considering the internal threat?4.
A startlingly large number of breaches are caused by employee
error (often conducted by
managers!) or malicious behaviour.
In the event of a data breach, what is our response plan?5.
Many cyber security experts now believe that it is no longer a
matter of if but when you
will be breached. The critical difference between organisations
that will survive a data breach
and those that wont is the implementation of a cyber resilience
strategy, which takes into
account incident response planning and disaster recovery
strategies to bounce back from a
cyber attack with minimal disruption to the business. The board
should also be aware of the
laws governing its duties to disclose a data breach.
Other important questions include:
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
2 of 9 7/6/2015 9:17 AM
-
Are we conducting comprehensive and regular information security
risk
assessments?
6.
The risk assessment should provide the board with an assurance
that all relevant risks have
been taken into account, and that there is a commonly defined
and understood means of
communicating and acting on the results of the risk assessment.
Worryingly, 32% of
respondents to a recent PwC information security breaches survey
(ISBS) had not
undertaken any form of risk assessment. Proven software tools
can help speed up and
streamline the risk assessment process.
Are we adequately insured?7.
Recent reports reveal that cyber insurance is not adequate to
protect companies from a
full-scale cyber attack. Although it is difficult to quantify
how expensive a data breach can
be, information about other data breaches in your industry
should provide an indication of
the potential damages your organisation might face. Latest
statistics reveal that breaches
cost large organisations between 1.46m and 3.14m in 2014. Many
organisations dont
realise that they are liable for a data breach even if the data
is stored in the Cloud, or if a
third party with which they share information is breached.
Are we testing our systems before theres a problem?8.
There are many tests that can be undertaken to assess the
vulnerability of systems,
networks and applications. An important element of any security
regime should be regular
penetration tests. Pen tests are simulated attacks on a computer
system with the intent of
finding security weaknesses that could be exploited. They help
establish whether critical
processes such as patching and configuration management have
been followed correctly.
Many companies fail to conduct regular penetration tests,
falsely assuming the company is
safe, but new vulnerabilities and threats arise on a daily
basis, requiring the company to
continually test its defences against emerging threats.
Have our internal cyber security controls been audited?9.
If the organisation has chosen to comply with an information
security standard such as ISO
27001:2013, an independent review of an organisations
information security controls can be
conducted by a certification body, and can be used to provide
evidence of the organisations
commitment to information security. This can in turn be used as
a competitive advantage
when bidding for new business, as indeed is the case with
companies certified to ISO 27001.
Is our information security budget being spent
appropriately?10.
26% of respondents to the PwC ISBS said they dont evaluate how
effective their security
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
3 of 9 7/6/2015 9:17 AM
-
expenditure is.
The board can play a key role in preventing problems before they
arise by playing a more
active role in cyber risk discussions. By becoming educated and
informed, cyber risk in the
boardroom need not be a topic that gets discussed only when
there is an incident. Dont risk
it, cyber secure it. Contact IT Governance for tailor-made
boardroom cyber security training
on +44 845 070 1750.
469 Shares 27 123 2 317 0
Filed Under: Cyber Security, ISO 27001
Related
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
4 of 9 7/6/2015 9:17 AM
-
Lawrence Chard says
July 6, 2015 at 10:11 am
WTF is a CISO, or a CIO?
I wont even mention COBIT or HIPAA!
Reply
Satish says
July 6, 2015 at 9:57 am
As the topic mentions we are looking at the organization wide
security measures by
the organization. Hence we have to see all internal as well as
outside
threats.Internal threats from employee clicking a fishing link
is also need to be seen
as a risk. I would like to add another aspect of supply chain
risks wherein your
business is also vulnerable to the supplier risks also so same
also need to assessed
and registered with your risk register.
Reply
nicoatridge says
June 22, 2015 at 9:21 am
I would add the question When did we last test our recovery
procedures?. Clearly
this would include DR, but also recovering data from a backup
source or manual
alternatives to automated procedures. Additionally some of the
what if thinking
should be establishing how vulnerable fallback options
themselves are to cyber
attacks. For example a malicious assault on your data may not be
detected for
some time and backup data may have also been compromised.
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
5 of 9 7/6/2015 9:17 AM
-
Reply
Julia Dutton says
June 22, 2015 at 9:25 am
Hi Nico
Great point, thanks.
Reply
Julia Dutton says
June 22, 2015 at 8:53 am
Hi Dirk, thanks for your comment. From our perspective, and
certainly the point of
view that is being taken by many other security firms, is that
cyber security is an
element of a broader information security strategy, which
encompasses people,
processes and technology. If you arent practising end-user
education, how will you
ensure that your employees do not click on malicious links from
phishing scams
that can damage your entire network? Cyber security may have
originated from the
outside as you call it, but without a comprehensive approach,
your best laid plans
will fall short of protecting your data.
Reply
Dirk Schadt says
June 22, 2015 at 7:48 am
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
6 of 9 7/6/2015 9:17 AM
-
Im missing your definition of cyber security and differentiation
to information
security. In my definition first is a threat from outside, the
CYBER, the other is
about securite from inside and outside.
Therefore things like security awareness or internal threats are
not subject of cyber
security.
Otherwise cyber security is just a buzzword for bullshit
bingo.
Reply
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
7 of 9 7/6/2015 9:17 AM
-
IT Governance is looking to publish
relevant, well-written, informative and
original articles. If you have an article
that meets these criteria, then please
send it in.
Agile Breaches and Hacks
Business Continuity
BYOD CASP CISA CISM CISSP Cloud
Computing COBIT CompTIA CREST
cyber attack Cyber essentials
Cyber Resilience Cyber
Security data breach Data
Protection Data Protection
Act GCHQ General data protection regulationHacking IBITGQ
Information security
ISMS ISO9001 ISO20000
ISO 22301 ISO27001 ISO
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
8 of 9 7/6/2015 9:17 AM
-
27001 IT
Governance ITIL ITSM
PCI PCI compliance PCI DSS
penetration test Penetration Testing
phishing Project
Management QSA Risk
Management ROC Staff
Awareness Training
Archives
2003-2015 IT Governance Ltd | Acknowledgement of Copyrights | IT
Governance Trademark Ownership Notification |
eCommerce by Xanthos
POPULAR LATEST
TODAY WEEK
MONTH ALL
6 truly shocking cyber security
statistics
More than 70% of cyber attacks
exploit patchable vulnerabilities
Ten essential cyber security
questions to ask your CISO
List of data breaches and cyber
attacks in June
Businesses dangerously slow to
react to vulnerabilities
Ten essential cyber security questions to ask your CISO
http://www.itgovernance.co.uk/blog/ten-essential-cyber-security-question...
9 of 9 7/6/2015 9:17 AM