Andrew Rogoyski

Challenging your organisation: 11 cybersecurity questions CEOs need to ask

It is increasingly clear that cybersecurity is a key factor in a company’s performance, reputation and valuation. This point is brought home in The Cyber-Value Connection report published by CGI in the UK, which quantifies the connection between a severe cyber breach and damage to company value.

Adverse publicity around breaches puts cyber risk increasingly on the radar for investors and regulators. As a result, cyber is a critical issue for boards of directors and CEOs. Yet, few have the expertise needed to develop plans to protect their organisations. (Read more in CGI’s 2016 study, Cyber security in the boardroom: UK plc at risk.)

But this situation will change. Board members will face increasing pressure to consider cyber risk, and it will influence how their personal performance is assessed. Expectations will fall heavily on the CEO who, in the event of a cyber incident, will face questions from the media, customers, employees and investors. It is likely that we’ll see more CEOs forced to resign as a result of a cybersecurity breach.

Making the case for robust cyber governance

What companies need first and foremost is a strong cyber governance structure. Board members can take the first step toward this goal by challenging their organisation on cyber issues. Senior executives need to understand what they know (or don’t), where there is confidence (or isn’t), and where plans are prepared (or aren’t). With these answers, they can build the expertise, personnel and governance needed to anticipate and manage breaches effectively.

Here is a small collection of questions that a CEO might ask their organisation. They are not intended to be a technical checklist; rather they will elicit a degree of confidence in response that will, in turn, reveal the real state of preparedness.

Cyber Value

Governance and planning

Situational awareness

Business context

  1. Who is responsible for cyber security?
  2. Can you show me our current cyber incident response plan? 

 

 

 

 

 

  1. Who can brief me on our cyber risk profile today? 
  2. How many attacks did we see last week? 
  3. What did we learn from our last cyber incident?
  4. What independent tests have we done?

 

 

 

  1. Is cybersecurity one of our corporate business risks?
  2. How much would it cost us if we lost all our IT systems for a week?
  3. What is the most valuable information that this company has?  
  4. How much do we spend on cybersecurity every year? 
  5. Are we prepared for the European Union’s General Data Protection Regulation (GDPR)? 

The scale of cyber risk may be intimidating, but these threats can be mitigated like any other risk―with strong leadership, sound governance, adequate preparation and planning. It all starts at the top, and the CEO sets it in motion. Learn more about asking the right questions in our report, The Cyber Value Connection.

Blog moderation guidelines and term of use