Questions CEOs and CFOs Should Ask Their Cybersecurity Teams

Depending on how much you know about cybersecurity, the questions that need to be asked may range from extremely basic to moderately technical. Do not be afraid to ask those basic questions, you need to be able to understand the basics first to be able to protect your assets and learn about cybersecurity. Some of your employees could have some of the same basic questions as you do. And since everyone has access to confidential information, it is imperative all employees have basic training, whether that is a beginner level course such as the CompTIA Fundamentals+ certification course, CompTIA A+ certification course or other cybersecurity courses. Below I have outlined some basic questions any CEO and CFO should be asking their cybersecurity team. If you feel comfortable with the basic questions, move on to the technical questions. 

Basic Questions 

#1: Where is our data stored? Financial information? Is it secure? 

Your team most likely has a data inventory where you can see where each type of data is, if it is stored secretly or available to the entire organization (should be secure whether it is secret or not), who has been assigned to maintain said data, and what devices have what software installed.  

Your financial information should have strict documentation and information flow as you do not want anything to be overlooked or missed. This is potentially one of your most expensive and high-risk data.  

#2: Are we doing the “basics” right? 

Security basics could include maintaining an inventory of all devices, software, and data and maintaining a risk register. It also includes patching computers, running firewalls and antivirus, penetration testing and ensuring everything is up to date.

#3: What is the current level and business impact of cyber risks to our company, and what is the plan to address identified risks? 

Your current level of risk helps you determine your cybersecurity budget, provides you confidence in front of stakeholders and board members and can help you determine if you need to train or hire more IT or cybersecurity professionals. 

Every company needs to have a cyber incident response plan. If your cybersecurity team does not, find out why and if there is anything you need to do to supply them with the resources they need. 

#4: What cybersecurity training is available for our workforce? 

As I have mentioned before, there are many beginner courses for non-IT employees. There are also lots of cybersecurity training courses for your IT and cybersecurity employees, these courses can include Security+ training and Network+ training. If you have someone on your cybersecurity team with over four years of experience and you want to keep their skills up to date, a CySA+ training course would be beneficial for your employee to complete. 

#5: Are we compliant with proper regulations and laws? 

Being aware of regulations and security laws may seem like an easy task, but surprisingly many things can be overlooked. Depending on your type of business, you will have different regulations your company must comply with. Some examples include the Payment Card Industry Data Security Standard or the CIA triad. 

#6: Is our information security budget enough? Is our spending optimized? 

Knowing your current level of risk is important to determine your security budget. There are “acceptable” standards of security each business defines; most organizations leave out their cybersecurity team in this discussion, do not do that. Bring them into the discussion, they will be able to provide an accurate standard of security necessary for the company’s data. 

#7: If a cyber-attack is successful, what is the potential damage to your organization’s brand? 

This is just smart business to know what kind of plan you need to protect any assets, your company’s image, and any client’s or customer’s information. Depending on the type of attack, it can cost your company a lot of money and time to repair the damage to both your company, its image, and your customers or clients.  

Technical Questions 

• How many and what types of cyber incidents do we detect in a normal week, and what is the threshold for notifying executive leadership? 
• How can cybersecurity and finance leaders best work together? 
• What kind of cyber threat information sharing does my business participate in? What third parties have access to our information and do they need that access? 
• How do we continue accelerating our business while still managing to stay secure? 
• How confident are you in preventing rogue access points into your secure infrastructure? 
• What measures do we employ to mitigate insider threats? 
• What is the possible business impact to our company from our current level of cybersecurity risk? 

Asking these questions will protect your company's assets, help you learn more about cybersecurity, and show your employees you care about them and their success.  

Disclaimer

The information contained in this post is considered true and accurate as of the publication date. However, the accuracy of this information may be impacted by changes in circumstances that occur after the time of publication. Ashton College assumes no liability for any error or omissions in the information contained in this post or any other post in our blog