Translating the jargon laden techno babble of network and information systems security into a language the CxO level executive can understand and find actionable is one of the biggest hurdles the infosec professional faces.
Often the business class pays little attention to the nitty gritty details related to security issues, aside from making sure audit and compliance deadlines are met, until a major security event occurs - but by that point it is too late.
In an article by Gary Loveland, who leads PwC's Global Security practice, the top ten questions CEOs need to ask about security and compliance issues are outlined in straightforward terms.
The following are short excerpts from the article highlighting the ten questions:
1. Who is accountable for protecting our critical information? Organizations with CISOs also tend to lose less data than those without CISOs...
2. How do we define our key security objectives to ensure they remain relevant? Security should be considered at the onset of new business initiatives as a way to mitigate risk... Security can’t be an afterthought...
3. How do we evaluate the effectiveness of our security program? Benchmarking data along with internal assessments help them determine where to increase spending and where to cut...
4. How do we monitor our systems and prevent breaches? Hackers’ techniques have gotten more sophisticated, and they can hide evidence of attacks; going undetected for months or even years... Check your logs...
5. What is our plan for responding to a security breach? An effective plan can mean the difference between a quick recovery and a serious blow to a company’s reputation...
6. How do we train employees to view security as their responsibility? Employees who aren’t trained to think about security can disclose sensitive data on social networks or click on sites that hackers use to infiltrate corporate networks...
7. How do we take advantage of cloud computing and still protect our information assets? As they should do with all business partners, companies need to assess the ability of cloud providers to protect the confidentiality, availability and integrity if their data...
8. Are we spending our money on the right things? Instead of trying to lock down everything, firms can redeploy their resources to focus on protecting data that is most at risk...
9. How can we ensure that we comply with regulatory requirements and industry standards in the most cost-effective, efficient manner? Compliance with Sarbanes-Oxley or the Health Insurance Portability & Accountability Act doesn’t mean systems are secure. Major breaches have occurred at credit-card processors and merchants certified as compliant with Payment Card Industry (PCI) standards...
10. How do we meet expectations regarding data privacy? Companies need to uphold promises they make in privacy policies; the Federal Trade Commission holds them to their word...
A great deal more information is offered in Loveland's article, published by CIO Update, which can be found here: