ST18-007: Questions Every CEO Should Ask About Cyber Risks

["US-CERT" <US-CERT () ncas us-cert gov>]

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



ST18-007: Questions Every CEO Should Ask About Cyber Risks [ https://www.us-cert.gov/ncas/tips/ST18-007 ] 12/04/2018 
10:52 AM EST 
Original release date: December 04, 2018

 

As technology continues to evolve, cyber threats continue to grow in sophistication and complexity. Cyber threats 
affect businesses of all sizes and require the attention and involvement of chief executive officers (CEOs) and other 
senior leaders. To help companies understand their risks and prepare for cyber threats, CEOs should discuss key 
cybersecurity risk management topics with their leadership and implement cybersecurity best practices. The best 
practices listed in this document have been compiled from lessons learned from incident response activities and 
managing cyber risk.

What should CEOs know about the cybersecurity threats their companies face?

CEOs should ask the following questions about potential cybersecurity threats:


  * How could cybersecurity threats affect the different functions of my business, including areas such as supply 
chain, public relations, finance, and human resources? 
  * What type of critical information could be lost (e.g., trade secrets, customer data, research, personally 
identifiable information)? 
  * How can my business create long-term resiliency to minimize our cybersecurity risks? 
  * What kind of cyber threat information sharing does my business participate in? With whom does my business exchange 
this information? 
  * What type of information sharing practices could my business adopt that would help foster community among the 
different cybersecurity groups where my business is a member? 

What can CEOs do to mitigate cybersecurity threats?

The following questions will help CEOs guide discussions about their cybersecurity risk with management:


  * What is the threshold for notifying executive leadership about cybersecurity threats? 
  * What is the current level of cybersecurity risk for our company? 
  * What is the possible business impact to our company from our current level of cybersecurity risk? 
  * What is our plan to address identified risks? 
  * What cybersecurity training is available for our workforce? 
  * What measures do we employ to mitigate insider threats? 
  * How does our cybersecurity program apply industry standards and best practices? 
  * Are our cybersecurity program metrics measureable and meaningful? 
  * How comprehensive are our cybersecurity incident response plan and our business continuity and disaster recovery 
plan? 
  * How often do we exercise our plans? 
  * Do our plans incorporate the whole company or are they limited toinformation technology (IT)? 
  * How prepared is my business to work with federal, state, and local government cyber incident responders and 
investigators, as well as contract responders and the vendor community? 

Recommended Organizatinal Cybersecurity Best Practices

The cybersecurity best practices listed below can help organizations manage cybersecurity risks.


  * *Elevate cybersecurity risk management discussions to the company CEO and the leadership team.* 
  * CEO and senior company leadership engagement in defining an organization's risk strategy and levels of acceptable 
risk is critical to a comprehensive cybersecurity risk plan. The company CEOwith assistance from the chief information 
security officer, chief information officer, and the entire leadership teamshould ensure that they know how their 
divisions affect the companys overall cyber risk. In addition, regular discussion with the company board of directors 
regarding these risk decisions ensures visibility to all company decision makers. 
  * Executives should construct policy from the top down to ensure everyone is empowered to perform the tasks related 
to their role in reducing cybersecurity risk. A top-down policy defines roles and limits the power struggles that can 
hurt IT security. 


  * *Implement industry standards and best practices rather than relying solely on compliance standards or 
certifications.* 
  * Lower cybersecurity risks by implementing industry benchmarks and best practices (e.g., follow best practices from 
organizations like the Center for Internet Security [ https://www.cisecurity.org/cybersecurity-best-practices/ ]). 
Organizations should tailor best practices to ensure they are relevant for their specific use cases. 
  * Follow consistent best practices to establish an organizational baseline of expected enterprise network behavior. 
This allows organizations to be proactive in combatting cybersecurity threats, rather than expending resources to "put 
out fires." 
  * Compliance standards and regulations (e.g., the Federal Information Security Modernization Act) provide guidance on 
minimal requirements; however, there is more businesses can do to go beyond the requirements. 

  * *Evaluate and manage organization-specific cybersecurity risks.* 
  * Identify your organizations critical assets and the associated impacts from cybersecurity threats to those assets 
to understand your organizations specific risk exposurewhether financial, competitive, reputational, or regulatory. 
Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, 
inform long-term investments, and develop policies and strategies to manage cybersecurity risks. 
  * Ask the questions that are necessary to understanding your security planning, operations, and security-related 
goals. For example, it is better to focus on the goals your organization will achieve by implementing overall security 
controls instead of inquiring about specific security controls, safeguards, and countermeasures. 
  * Focus cyber enterprise risk discussions on "what-if" situations and resist the "it can't happen here" patterns of 
thinking. 
  * Create a repeatable process to cross-train employees to conduct risk and incident management as an institutional 
practice. Often, there are only a few employees with subject matter expertise in key areas. 

  * *Ensure cybersecurity risk metrics are meaningful and measurable.* 
  * An example of a useful metric is the time it takes an organization to patch a critical vulnerability across the 
enterprise. In this example, reducing the days it takes to patch a vulnerability directly reduces the risk to the 
organization. 
  * An example of a less useful metric is the number of alerts a Security Operations Center (SOC) receives in a week. 
There are too many variables in the number of alerts a SOC receives for this number to be consistently relevant. 

  * *Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster 
recovery.* 
  * It is critical that organizations test their incident response plans across the whole organization, not just in the 
IT environment. Each part of the organization should know how to respond to both basic and large-scale cybersecurity 
incidents. Testing incident response plans and procedures can help prevent an incident from escalating. 
  * Incident response plans should provide instructions on when to elevate an incident to the next level of leadership. 
Regularly exercising incident response plans enables an organization to respond to incidents quickly and minimize 
impacts. 

  * *Retain a quality workforce.* 
  * Cybersecurity tools are only as good as the people reviewing the tools results. It is also important to have people 
who can identify the proper tools for your organization. It can take a significant amount of time to learn a complex 
organizations enterprise network, making retaining skilled personnel just as important as acquiring them. There is no 
perfect answer to stopping all cybersecurity threats, but knowledgeable IT personnel are critical to reducing 
cybersecurity risks. 
  * New cybersecurity threats are constantly appearing. The personnel entrusted with detecting cybersecurity threats 
need continual training. Training increases the likelihood of personnel detecting cybersecurity threats and responding 
to threats in a manner consistent with industry best practices. 
  * Ensure there is appropriate planning to account for the additional workload related to mitigating cybersecurity 
risks. 
  * Cybersecurity is emerging as a formal discipline with task orientation that requires specific alignments to key 
knowledge, skills, and abilities. The National Initiative for Cybersecurity Careers and Studies (NICCS) [ 
http://niccs.us-cert.gov/ ] is a useful resource for workforce planning 

  * *Maintain situational awareness of cybersecurity threats.* 
  * Subscribe to notifications on emerging cybersecurity threats (e.g., National Cyber Awareness System products [ 
https://www.us-cert.gov/ncas ], MITRE Common Vulnerability Exposures [ https://cve.mitre.org/ ], CERT Coordination 
Center Vulnerability Notes [ https://www.kb.cert.org/vuls/ ]). If possible, create a summary on the cybersecurity 
threats your organization has recently faced (e.g., phishing emails, malware, ransomware) for dissemination to 
personnel outside of your IT department to help reinforce their role in reducing cybersecurity risk. 
  * Explore available communities of interest. These may include sector-specific Information Sharing and Analysis 
Centers, the Homeland Information Sharing Network [ https://hsin.dhs.gov/ ], or other government and intelligence 
programs. 



________________________________________________________________________

Authors:________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]