For the last two decades or more, cybersecurity and its failures have directly impacted organizations’ bottom lines.The call for boards of directors and C-level executives to take a more active role in ensuring that their organizations’ security infrastructures are adequately staffed, equipped and funded has become increasingly loud and persistent. But where do BODs and C-levels, who may have varying degrees of cybersecurity knowledge, begin?
One place to start is by asking your CISO and other leaders in your organization the right proactive questions — ones that will garner the kind of information you need to help you make informed decisions. You will also want to understand what type of information you’re looking for, so you can discern whether the response you’re getting is a positive one. Because cybersecurity issues impact departments across your organization, any discussion about it should include a broad spectrum of department heads.
The Work of CrowdStrike Strategic Advisory Services
CrowdStrike’s strategic advisory services play a crucial role in working with organizations to elevate their cybersecurity readiness by helping them anticipate threats, prepare their environments and improve their security teams’ abilities to stop determined adversaries. The CrowdStrike Services team brings unrivalled skills and experience having worked on some of the world’s most significant cyber investigations. Wherever customers are in the security planning process, CrowdStrike strategic advisory services can improve their ability to withstand sophisticated targeted attacks, and importantly, help then stop the breach.
Questions Boards of Directors and C-Levels Should Ask
The following are some important proactive questions that the Services team has put together to give board members and C-level executives crucial information on what they should be asking about their organization’s cybersecurity readiness. I’ve also included guidance on the positive responses you should look for. A more detailed list of these proactive questions and answers can be found in this guide: “Getting On Board With Cybersecurity.”
Q: What are our biggest threats and what are we doing to defend against them?
These questions should spark a discussion on the organization’s high-value assets or targets, adversary motives and the impact of various types of risk, including financial, reputational, operational, compliance and others. Once the risk is assessed, the team should offer a view into corporate cybersecurity detection, prevention and response capabilities. These capabilities should be tailored to the threats that have been identified from strategic threat intelligence and compared to the risks associated with high-value asset and target information.
Q: Where are our most glaring vulnerabilities and security gaps?
Your organization needs to know where internal security gaps and risk exceptions exist and whether there are controls in place to address these vulnerabilities. There should also be an evaluation of the impact level associated with each vulnerability — higher impact areas should be addressed more frequently to determine if they can be mitigated or reduced. Also, the security team should explain how impacts are assigned to vulnerabilities as they relate to various types of risks.
Q. Would we know if we were breached?
This should elicit a discussion around detection controls and whether your organization has the capacity to monitor and alert in real time. You should also consider proactive threat hunting that can look for evidence of attacker activity even if no security alert has been triggered.
Q. Do we have an incident response (IR) plan and has it ever been exercised?
The best answer would be, “Yes, and it’s updated and tested regularly to reflect the latest changes to our threat landscape and organization.” Ideally the plan should address the roles and responsibilities of responders across the enterprise, not just within the IT security team.The organization should also confirm that this plan is being tested regularly across varying types of exercises, including tabletops, live-fires, adversary emulation and similar simulations.
Q. Do we have retainers in place that include outside counsel, crisis communications and cyber forensics firms?
Ideally organizations have retainer agreements that include start and end dates, hours involved, rates, etc. The worst time to be searching for and vetting vendors is after an incident has occurred, when timing is most critical.
Q. Do we have cyber insurance and if so, have we validated that we meet all the requirements stipulated under the insurance policy?
For most organizations, the answer should be “Yes.” Understanding the need for cyber insurance depends on the industry, as well as the organization’s risk tolerance. However, If an organization does have cyber insurance, the responsible parties should understand what is covered and who owns the responsibility for managing and updating the policy. Note that the absence of cyber insurance is not necessarily problematic, provided it is the result of a conscious decision based on an assessment of the coverage available, and in alignment with other risk management strategies. Where cyber insurance is present, it’s possibly even more important to understand what the payout requirements are along with details of how these requirements are being met. Where applicable, these requirements should be baked into documented processes and procedures
Q. How are we protecting our executives and other individuals in leadership roles?
This should lead to a discussion of physical security for organization leaders, as well as additional IT controls or training applied to these individuals (application whitelisting leveraged on machines, multiple devices for performing different tasks, multiple user accounts, etc.). Other security steps that individuals should consider are defined in Appendix C of the “Getting On Board With Cybersecurity” playbook.
Q. What sources of threat intelligence do we have access to?
At the very least, the organization should be consuming freely available “open source” intelligence. For more mature organizations, the expectation is that paid intelligence subscriptions are in place that provide more detailed intelligence that is of greater benefit to the organization itself, both tactically and strategically. For organizations in certain sectors, formal information sharing and analysis centers (ISACs) can also provide sector-specific information about threats.
Q. Do we leverage tactical intelligence to improve our defenses?
Your organization should be applying “known bad” indicators to its detection and prevention tools. More mature organizations should also employ threat intelligence to perform proactive “hunting,” where you look for evidence of certain potentially malicious tactics and operations within your environment.
Q. Have we identified our critical assets and do we have a classification plan?
It’s imperative that you have a list of your organization’s critical assets that includes the criteria for determining what belongs on that list. Also, your plans should include different levels of security based on the classification of data. For instance, sensitive data should have higher security (encryption, multi-factor authentication, etc.) than public data.
Q. Do we have a plan in place for recovering from a destructive attack?
Organizations should treat destructive attacks with a dual focus on cybersecurity and business continuity. Similar consideration should be given to ransomware-style attacks. Testing these plans through exercises and simulations is a good practice.
These are some of the questions board members can ask that will not only keep you up to date on your organization’s security posture, but will help you make better, more informed decisions. Other questions you should ask, as well as tips and strategies for board members and C-level executives, are included in the comprehensive CrowdStrike® report: “Getting On Board With Cybersecurity.”
Download “Getting On Board With Cybersecurity”.
Learn how CrowdStrike can help your organization answer its most important security questions. Visit the CrowdStrike Services web page.
Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.