Most CEOs are not cybersecurity experts. However, they are good at asking the right questions to assess risk to their organizations. This post outlines the data points a CEO needs to gather in order to assess that risk from a cybersecurity perspective.
More often than not, organizations structure their cybersecurity posture in three tiers. The lower tier comprises the network administrators and security engineers – the smart people hired to get things done. The middle tier, management, more often than not oversees budgets and project management and has a narrow focus on its realm of responsibility versus the good of the whole organization.
The middle tier may act as a filter between the lower tier and the top tier – leadership. Rather than receiving information directly from the engineers, leadership receives it from management, whose narrow focus can act as a filter that may inadvertently give a positive spin to any negative outlook on security, thus giving leadership a false sense of protection.
How can leadership cut through the bureaucracy to get accurate information?
Following are six questions CEOs should ask to better understand their organization’s cybersecurity risk:
The answers to each of these questions may encompass vast amounts of detail. The CEO should have the detailed responses analyzed by the management team so that the team can provide, in business and financial terms, the CEO with a clear understanding of the risk. Further, because CEOs are not typically IT or cybersecurity experts, they should expect management to communicate its analysis clearly and concisely without jargon.
By incorporating these questions into the organization’s business practices and strategy – as cybersecurity strategy needs to align with business strategy – a CEO will be better able to elicit sufficient information and avoid the challenges of the middle tier’s information filter.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal