Executives need to take a particular interest in cybercrime. That is a big ask since most business leaders have a minimal understanding of cybersecurity and don't have the time to become experts in this field. But can they ask the right questions?
Modern organisations rely heavily on digital systems to keep them fast, flexible, and competitive, but such systems also make them more vulnerable and open to various risks, including connectivity failure, data loss, and fines for legal failures. In particular, cyber-related crime and negligence loom large in risk registers. The Allianz Risk Barometer 2022 ranks cyber incidents as companies' top business disruption fear. According to the same survey, South African companies ranked cybercrime and critical infrastructure blackouts as their greatest concerns.
What should an executive or board member ask?
My recommendation is to start with the following five questions:
1. How many endpoints are in the enterprise?
This question may seem very simple but it’s an effective way to check if your security teams are handling their responsibilities. An endpoint is a device that someone can access, and these are the most likely places for a security breach to occur. Astute security managers and executives should know how many endpoints are on the business network. They might need a moment to check for the exact number, but if they cannot cite the number or find it quickly, you can question whether they have accurate security reporting or insights.
2. What are our biggest risks, and what are our contingencies?
When a business experiences a cyber breach, it’s common to ask why it was the target. Executives often think the business was specifically victimised, but in most circumstances, it’s just a case of bad luck. Cybercriminals look for soft targets, using known successful attack methods. The worst thing a company can do is assume it’s not a target, because then it is likely to ignore its cyber risks. Your security experts cannot fall for this assumption. They should exhibit a clear understanding of the business’ risks and be able to show contingency plans and processes for when the worst happens.
3. How do we provide baseline security for a new project?
Modern companies run on software and digital systems, the playgrounds of cybercriminals. Therefore, security must have a place at the start of any new project. Even if the project is an extension of previous work, security staff should check and advise on the project’s protection. But the managers and executives who own the project must ask this question – it’s on them, not security teams, to prioritise security. Security added afterwards is less effective and will hamper the project’s performance. Responsible leaders plan their project budgets and deadlines before anything of consequence happens. Cybersecurity is no different.
4. Are we getting the expected value from our cybersecurity investments?
This question is for the chief financial officers and anyone who runs security budgets. Cybersecurity systems are often complex and require careful coordination with other digital systems. Unfortunately, these implementations might not produce actual value and can lead to more purchases. It’s not a causal relationship – your business might need additional security. But make sure that what you already have is performing to expectation. It will save on unnecessary expenditures and ensure your security is as strong as expected.
5. Do our security people have enough access to the rest of the business?
Security teams cannot operate in isolation. They must be embedded with the rest of the company, advising on security and delivering security measures that fit business requirements. This is often not the case. Security experts aren’t included in project meetings or allowed to ask important questions. They are not represented on the board or at executive levels. They may have the right leaders in place, but these individuals are not equipped or trained to grasp the business picture. You wouldn’t think twice about sending a financial manager on a business course, but do you do the same for security managers? Ensure your security people are treated as a crucial and integrated part of your company.
What if your staff give the wrong answers to these questions?
It’s not necessarily their fault. They could struggle to answer because they lack the right tools, their workloads are overwhelming, or your leaders keep them at arm’s length. They may lack enough access to business operations and strategy.
This questioning exercise aims to establish a rapport with your security people and identify gaps.
Organisations that make an effort to include cybersecurity as a part of business reduce their cyber risks. We call these businesses “cyber-safe”: a state where cybersecurity is as much a part of the organisation as finance, logistics, and human resources are.
If you want a cyber-safe business, start by asking these questions.
Gerhard Swart is the CTO at cybersecurity company Performanta