Although cybersecurity was once considered solely an information technology (IT) concern, the increase in frequency and sophistication of cyber-attacks demands a shift in thinking. For a cyber program to be truly effective, it must involve the CEO, Board Members, and other senior executives in addition to information security and IT professionals.
CEOs should ask themselves several questions to determine their organizations’ risk appetites.
- What internal and external threats do we face?
- What are my organization’s critical assets and information? Can I prioritize what’s most important to continued business operations?
- What information does my institution manage and where is it stored? Who has access to it?
- Does my organization have a Chief Information Security Officer (CISO)? If not, who is responsible for cybersecurity?
- Who is providing services to my organization? How do we ensure our vendors to take care of their own information and ours?
- Am I receiving the cybersecurity information I need to make active risk management decisions?
- Am I routinely communicating relevant risk environment and risk management decisions to the Board?
- How can my budget be optimized to address cybersecurity concerns?
KNOW WHO TO ASK
You may not be able to answer all these questions on your own, so it is important to know who carries out cybersecurity activities at your organization and to communicate with them. Identify the cybersecurity professionals who work for you and their areas of expertise. They should be able to answer your questions and provide feedback on the efficacy of your cybersecurity program.