avatarTeri Radichel

Summary

The article outlines 20 critical cybersecurity questions that executives should pose to their security teams to effectively measure and mitigate cyber risks.

Abstract

In the realm of cybersecurity for executives, the article emphasizes the importance of understanding cybersecurity risks and their potential financial impact. It suggests that executives should engage with their security teams by asking targeted questions to uncover vulnerabilities and prioritize risk management. These questions cover a range of topics including outdated software, internet exposure, data encryption, attack path analysis, credential theft potential, multi-factor authentication adoption, security policies, vendor vetting, incident response preparedness, automation levels, and overall risk assessment. The article aims to guide executives in creating actionable cybersecurity reports that quantify risk and inform appropriate security spending, with a focus on cloud security and evolving threat landscapes.

Opinions

  • The author believes that executives must prioritize cybersecurity risk assessments similar to financial reviews to prevent losses.
  • Understanding the questions and their implications is crucial for identifying data breach risks within an organization.
  • The article suggests that executives should not only be aware of the security measures in place but also actively participate in the review of cybersecurity risk reports.
  • The author advocates for a proactive approach to cybersecurity, including regular testing of backups and incident response plans.
  • There is an emphasis on the need for collaboration between security teams and developers, as well as the enforcement of security policies to limit errors.
  • The author stresses the importance of monitoring vendor security practices and the effectiveness of security solutions in preventing attacks.
  • The article posits that risk reports should be based on quantifiable metrics and that organizations must stay informed about new threats to adapt their security strategies accordingly.

20 Cybersecurity Questions for Executives to Ask Security Teams

Measuring cyber risk effectively

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: Cybersecurity for Executives

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this series on Cybersecurity for Executives, I previously explained how cybersecurity risks contribute to financial losses. In the second post, one of the recommended strategies for mitigating cybersecurity losses was for top executives to review cybersecurity risk reports just as they review other financial matters. Consider the potential losses and damage from cybersecurity threats and prioritize accordingly.

Determining what should be on a report starts with asking the right questions. Here are twenty high-level cybersecurity questions executives can ask their security team. I based these questions on years of security research into what causes data breaches, including for some time at a security vendor that sells firewalls, endpoint security, and wireless security products. By asking these questions, you will understand how many problems exist in your organization that could lead to a data breach. Once you know what is creating the risk, you can work on fixing it to reduce potential exposure and losses.

Click here to purchase a full copy of the ebook or paperback on Amazon: Cybersecurity for Executives in the Age of Cloud

If you don’t know what all these questions mean, don’t worry. I’m going to explain each one in the remaining blog posts on this topic. Please make sure to follow me here or on Twitter @teriradichel for updates.

  1. How many of our systems are running out of date software with known security flaws (otherwise known as CVEs)? Consider not only operating systems, but any application, printers, IOT devices, and anything that could have out of date firmware or software. Read more: CVEs: Security Bugs that Bite
  2. What is the percentage of systems exposed to the Internet? Could the systems run in private networks? How many systems expose administrative and high-risk ports include such as 22, 3389, 23, 445, 137 — 139? Read more: How network traffic got me into security | Exponential increases in cyber risk from Internet exposure | High-risk ports: The chink in your network armor
  3. How many systems expose data to the Internet and what kind of data? PII? Financial data? Include cloud storage services like S3 buckets, Google Drive, and Box.
  4. What are the total number of attack paths on our network? Every network path between two systems is a potential attack path that increases overall risk.
  5. What is the potential damage if any one person’s credentials are stolen — via phishing or any other sort of credential compromise? How much could an attacker access?
  6. What percentage of accounts in our organization require MFA? What percentage of activities in our organization require MFA before a user can execute an action?
  7. What percentage of our data is encrypted when stored?
  8. What percentage of our network communications are encrypted?
  9. How many outstanding high, medium, and low-risk findings are in the results of assessments, penetration tests, or audits? For example, even though you have encryption, are encryption keys handled properly?
  10. In the event of a security incident or disaster, could we restore our systems from a backup? Have we tested this? Recently? Are our backups air-gapped so malware cannot infect or access them?
  11. Do our developers understand network, application, and data security? Do we perform threat assessments before building systems? Are security teams and developers working together closely?
  12. Do we have policies in place that limit mistakes that can lead to increased security risk and potentially a data breach? How are they enforced?
  13. Who is generating the most exceptions to security policies — and why?
  14. Are security checks built into our deployment systems to prevent vulnerabilities from being deployed?
  15. How are we vetting our vendors? Do your vendors follow the same security practices you do? Are you monitoring vendor activity and security as it pertains to your business? Where and how are security products designed, developed, manufactured, and tested?
  16. How many attacks have our current security solutions and processes prevented that could have led to significant financial loss? What have they missed? In other words, what is the efficacy of the security systems we purchased?
  17. Do we have an incident handling team? Do our developers, IT staff, and business executives know what to do in case of a security incident and how to respond? When is the last time we practiced incident handling?
  18. What percentage of our activities are automated? How can that percentage be increased?
  19. What is the overall risk level? Is it going up or down over time? Are risk reports based on quantifiable metrics? Can risk items be tested? Or is the risk score a purely subjective estimate?
  20. How is the threat landscape changing? How is your organization monitoring for new threats that could impact your business?

I offer these questions as a starting point. The questions, answers, and recommended solutions will differ for each business based on size, industry, and other factors. Use these questions to create cybersecurity reports that help executives quantify risk and prioritize cybersecurity spending appropriately. I will explain each of these items in future blog posts, as well as how they relate to cloud security.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2019

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Cybersecurity
Data Breach
Data Breach Report
Cybersecurity Report
Risk Assessment
Recommended from ReadMedium