Normally, when organizations discuss cybersecurity, all heads turn to IT for management of this issue. But cybersecurity programs are no longer the sole responsibility of IT departments.
Cyber attackers today are infiltrating businesses in ways that go beyond what your technology function can control. For this reason, it’s become vital for businesses to incorporate a cybersecurity assessment and control processes across the entire organization. Managing these business risks extends to applications and data outside of the firm’s control, suppliers, and customers.
10 Questions for Every Executive Business Manager
To assess and ensure the strength of a security program, we recommend that management takes a key role in making sure they have answers to each of these questions:
- Do you know your company’s cybersecurity risks? You should be able to identify and evaluate potential risks, the sources, how to address them, and develop a cyber risk management program to meet any and all regulatory obligations.
- Do you have an inventory of systems, software, data and information? In addition to your equipment inventory, make sure to include cloud applications, mobile applications and other third parties who may have access or control of the firm’s data and information. Your answer should be complete with a financial ledger or physical assets inventory, and risks associated with each.
- Is there a cybersecurity defense system in place? Ensure you have a recognized, accepted framework, such as the NIST Cybersecurity Framework (https://www.nist.gov/cyberframework), to address cybersecurity defense in depth.
- How often do you conduct a risk assessment or maturity assessment of your security program against a framework? If this doesn’t happen, it needs to. Creating the best defense is helped with a good offense – and it’s imperative to conduct a penetration test of your cyber defenses. This will help identify vulnerabilities than need to be addressed, and whether you business’ security program can handle cyber risks.
- Do your outsourced providers and contractors have cybersecurity controls and policies in place? External sources should be checked to ensure they align with your policies and controls for data protection. Assess whether they monitor their controls, and consider any risks with vendors and contracts that could pose damage to your company.
- Do you practice ongoing, employee awareness and training for cybersecurity best practices? Make sure employees know their roles and understand how to handle and secure sensitive information.
- Do any new technology plans include risk management steps?
- Are meeting your customers’ security concerns as well?
- Does your external auditor indicate you have cybersecurity-related deficiencies in internal controls over financial reporting? Assess and remedy any deficiencies, as they are sometimes signs that broader cyber security deficiencies may exist.
- Do you or another executive manager receive regular updates on operational security? Consider forming a steering committee to regularly review metrics and help balance business goals and security measures.
How did you do? If you answered “no” or “I don’t know” to these questions, it’s time to reassess the role that executive management is playing in overall business risk management. Engaging in the process, measuring the strength of your security program, and reinforcing its importance internally and externally, will result in a more resilient and secure operation overall.
For questions regarding cybersecurity controls, frameworks, and best practices, contact a K·Coe technology advisor.