The Top 10 Security Questions Your CEO Should Ask

According to the latest Global State of Information Security Survey conducted by PwC, 35 percent of respondents said they do not have an overall security strategy in place. Before companies were focused on securing the walls around their networks, the goal now is to protect valuable data wherever it resides.

Since more and more CISOs now report to the CEO or the board, security must be on the boardroom radar. Emerging technologies such as cloud computing and social media can be beneficial to the bottom line but can pose new challenges in the form of information security risks. Better security doesn’t have to cost more, however. Automating management of user data and streamlining compliance can free up resources to focus on protecting critical data. To that end, here are 10 critical questions your can make sure you CEO and boards are asking:

1. Who is accountable for protecting our critical information? Leading companies employ CISOs who focus on securing critical data across the organization. They ensure that security is a consideration at the outset of new business initiatives by lending security experts to business units. Organizations with CISOs also tend to lose less data than those without CISOs, according to studies and PwC’s experience working with broad range of clients.

2. How do we define our key security objectives to ensure they remain relevant? Security should be considered at the onset of new business initiatives as a way to mitigate risk. CEOs and boards help articulate these objectives as they pursue growth. Security can’t be an afterthought. In the power industry, for example, utilities need to incorporate security in the design of smart grids to protect all of the new points in networks where intrusions can occur.

It’s also a good idea to review your overall security strategy. Weigh risks against business needs, set companywide priorities and use resources to protect data that, if lost, would cause the most damage. That can change over time as the business evolves. For example, allowing data to move beyond your company’s physical control by outsourcing data storage, sharing inventory information with suppliers or running software on a cloud computing provider’s platform, for example, all pose new challenges.

3. How do we evaluate the effectiveness of our security program? Many firms don’t track metrics such as spending on security administration or actively monitor their logs for signs of breaches. Leading firms that track indicators like these are able to benchmark their programs against peers. The benchmarking data along with internal assessments help them determine where to increase spending and where to cut.

4. How do we monitor our systems and prevent breaches? Hackers were once motivated largely by ego, but they now target valuable data they can sell or use to steal money. Cases of state-sponsored espionage known as advanced persistent threats also target companies’ intellectual property. Hackers’ techniques have gotten more sophisticated, and they can hide evidence of attacks; going undetected for months or even years. Yet, a study of confirmed breach cases in 2009 found that nearly 90 percent of victims had evidence of the breach in their log files. The morale of this story? Check your logs.

5. What is our plan for responding to a security breach? An effective plan can mean the difference between a quick recovery and a serious blow to a company’s reputation. Yet 63 percent of respondents in PwC’s study said their firms either don’t have a contingency plan or have a plan that doesn’t work.

6. How do we train employees to view security as their responsibility? People are the key to security in a world where valuable corporate data is increasingly moving beyond a company’s physical control. Employees who aren’t trained to think about security can disclose sensitive data on social networks or click on sites that hackers use to infiltrate corporate networks.

Vigilant companies embrace social media and step up training. At Intel, which conducts security awareness training and has an internal portal devoted to security, the view is that “people are the new perimeter.”

7. How do we take advantage of cloud computing and still protect our information assets? As they should do with all business partners, companies need to assess the ability of cloud providers to protect the confidentiality, availability and integrity if their data. They need to understand the risks related to how the cloud provider handles data from multiple clients or how it manages the third parties it uses. In contracts, they need to spell out requirements, including how providers will mitigate the risks and handle data when the contract ends. Certification or third-party audits can be required to ensure that providers do what they promise. A cloud model also requires changes in how companies manage user data, log activity and identify and investigate events.

8. Are we spending our money on the right things? Instead of trying to lock down everything, firms can redeploy their resources to focus on protecting data that is most at risk. Management of user data, which is handled manually at many companies, can be automated to free up resources. Automation can help reduce the vulnerability of companies to human errors inherent in manual management.

9. How can we ensure that we comply with regulatory requirements and industry standards in the most cost-effective, efficient manner? Companies such as highly regulated financial services firms face overlapping requirements. Costs can be reduced by mapping these and conducting tests to demonstrate compliance with multiple regulations and standards. But compliance with Sarbanes-Oxley or the Health Insurance Portability & Accountability Act doesn’t mean systems are secure. Major breaches have occurred at credit-card processors and merchants certified as compliant with Payment Card Industry (PCI) standards.

10. How do we meet expectations regarding data privacy? Financial services firms and health-care providers are required by law to protect personal information about customers and patients. Some states require all businesses to do this, and most states require businesses to notify customers if their personal information is compromised. Companies also need to uphold promises they make in privacy policies; the Federal Trade Commission holds them to their word.

But firms have ana opportunity to go beyond compliance and gain consumers’ trust amid growing concern about the amount of electronic data companies collect, analyze and share. For example, smart grid operators can use privacy protection to gain credibility among customers and encourage them to participate or online advertisers who target ads to people based on products they view could win their confidence by making it easier for people to opt out.

Gary Loveland is a principal in PwC’s advisory practice and leads PwC’s Global Security practice. Based in Southern California, he has deep expertise in information technology, security and risk management as well as extensive hands-on security management and implementation experience. Mr. Loveland has overseen numerous security deployments that have been successfully implemented for millions of internal and external users. He is a regular speaker at security industry events and has written numerous information security articles.aa