Top Ten Security Questions for CEOs to Ask

Thursday, February 03, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

Translating the jargon laden techno babble of network and information systems security into a language the CxO level executive can understand and find actionable is one of the biggest hurdles the infosec professional faces.

Often the business class pays little attention to the nitty gritty details related to security issues, aside from making sure audit and compliance deadlines are met, until a major security event occurs - but by that point it is too late.

In an article by Gary Loveland, who leads PwC's Global Security practice, the top ten questions CEOs need to ask about security and compliance issues are outlined in straightforward terms.

The following are short excerpts from the article highlighting the ten questions:

1. Who is accountable for protecting our critical information? Organizations with CISOs also tend to lose less data than those without CISOs...

2. How do we define our key security objectives to ensure they remain relevant? Security should be considered at the onset of new business initiatives as a way to mitigate risk... Security can’t be an afterthought...

3. How do we evaluate the effectiveness of our security program? Benchmarking data along with internal assessments help them determine where to increase spending and where to cut...

4. How do we monitor our systems and prevent breaches? Hackers’ techniques have gotten more sophisticated, and they can hide evidence of attacks; going undetected for months or even years... Check your logs...

5. What is our plan for responding to a security breach? An effective plan can mean the difference between a quick recovery and a serious blow to a company’s reputation...

6. How do we train employees to view security as their responsibility? Employees who aren’t trained to think about security can disclose sensitive data on social networks or click on sites that hackers use to infiltrate corporate networks...

7. How do we take advantage of cloud computing and still protect our information assets? As they should do with all business partners, companies need to assess the ability of cloud providers to protect the confidentiality, availability and integrity if their data...

8. Are we spending our money on the right things? Instead of trying to lock down everything, firms can redeploy their resources to focus on protecting data that is most at risk...

9. How can we ensure that we comply with regulatory requirements and industry standards in the most cost-effective, efficient manner? Compliance with Sarbanes-Oxley or the Health Insurance Portability & Accountability Act doesn’t mean systems are secure. Major breaches have occurred at credit-card processors and merchants certified as compliant with Payment Card Industry (PCI) standards...

10. How do we meet expectations regarding data privacy? Companies need to uphold promises they make in privacy policies; the Federal Trade Commission holds them to their word...

A great deal more information is offered in Loveland's article, published by CIO Update, which can be found here:

Source:  http://www.cioupdate.com/features/article.php/3923086/The-Top-10-Security-Questions-Your-CEO-Should-Ask.htm

Possibly Related Articles:
12162
Enterprise Security
Policy Enterprise Security Budgets Data Loss Prevention Headlines Information Security CEO Risk Mitigation
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.