Craig McDonald 16 May 2019 10:03:44 AEST 11 MIN READ

The 6 questions you should be asking your company’s CISO in 2019

Worried that your company will be the next victim of a cyberattack? You should be. From Facebook to Google, Marriott Hotels to British Airways, it seems companies of all industries and sizes are increasingly susceptible to a cyberattack as each day passes.  

As I keep reiterating, cybersecurity needs to be addressed from the top if companies want to be better prepared against cybercrime - through CEOs and by cultivating a security culture within your business. This includes having regular and frequent conversations with your IT and Infosec leaders on the current cyber threat landscape, their organisations’ level of preparedness to meet those threats, as well as what tone they want to set in promoting a solid security culture.   

If your IT and Infosec leaders are indeed up to the task of sufficiently addressing your cybersecurity needs, they should be able to answer these hard questions in the ‘business’ language of cost and risk. 

But have you ever wondered how to even begin that conversation? 

Here are a few questions that are designed to drive and enhance cyber resilience within your organisation. Including these questions in your discussions with your CISO and/or CTO will help you become more aware of the issues at hand, enabling you to set your firm’s agenda for cybersecurity in 2019 and beyond. 

1) What exactly is the risk posed to my business in the event of a successful cyberattack? 

Understanding the exact repercussions of a cyberattack is key if you want to determine the amount of investment you wish to place in your cybersecurity strategy. After all, how do you plan a security strategy if you don’t know what exactly is at stake?  

Ask your CISO about some examples of successful attacks that have occurred in similar-sized organisations within your industry, along with the damage in terms of financial losses, reputation & brand, legal exposure and market competitiveness (in the case of IP theft). 

Here are a few types of stats you should be up to speed about: 

The rapid growth in cost to business, cybersecurity attacks, and complexity in attacks means the need to take action is urgent. Talk to your CISO about what exactly are the risks to your company in the event of a cyberattack, before you go on to formulating a strategy to mitigate those risks.  

2)   What’s the top cyber threat facing companies such as ours today?  

The basis behind this question is obvious - identifying and isolating your enemy is the first step to winning any battle.  

You might already know the answer to this too - with pure computing systems getting better at reinforcement against cyberattacks, it’s staff on the ground that are the easier ways in to systems. And one of the easiest ways to reach people on the inside? Malicious emails - an all-too-frequently-used vector to spread cyberattacks within companies.  

“The email vector is one of the most relied upon ways threat actors have to compromise systems.” (2019 State of Malware, MalwarebytesLabs) 

According to this same report, spam with a malware payload (malspam) became the number one method of attack, through phishing and spearphishing attempts. Malware masquerading as MS Office docs is a known threat. 

Once your CISO has detailed the type of malicious emails your company is being targeted with, you can make more informed decisions about the direction your email security strategy should take and the priorities. 

Which brings us to the next question. 

3) Can you summarise your company’s cyber defence strategy? How well is your company positioned to deal with such cyberattacks and risks?  

Here’s where the solid technical expertise and sound business understanding of a CISO come in. Ask your tech leaders if your company has the right cybersecurity technology, tools, capabilities, skills and expertise to deal with the risks identified above. How sound is your cybersecurity posture in the context of your industry, and the global threat landscape? 

It’s tough to understand and isolate specific elements of a defence plan so inquire about your overall cybersecurity strategy to find out the role that specific solutions, technologies and capabilities have to play.  

For instance, while there are plenty of strategies to approach the cybersecurity problem, I always advise my clients that having a multi-layered defence system in place is a must. Experts agree that when building your cybersecurity tech stack, a multi-layered approach is required. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods, in the event that if one fails, the others will stop the threat. For example, while most firms will have native email security from Google or Microsoft, since we know that 9 out of ten attacks start with an email, it’s prudent to employ an additional layer of cloud email security with a solution that adopts a slightly different approach, like MailGuard which is a specialist at stopping advanced, zero-day threats.    

Ask your CISO about your cybersecurity strategy and the corresponding solutions/technology your business has adopted. What due diligence have they undertaken to arrive at their conclusions, and how robust were the conversations inside your business? 

4) Are we on top of international data compliance rules? 

Not only are cyberattacks making more of an impact on businesses bottom lines, but there is also now the added onus on compliance activities.  

The GDPR imposes worldwide fines of up to US$23 million or 4% of annual global revenue. The biggest fine to date has been €50m issued to Google by French agency, CNIL

Simultaneously, with the implementation of the Australian Government’s Notifiable Data Breach (NDB) Scheme, the imperative is greater than ever for business leaders to be more accountable for data security transparency and standardisation. 

Enquire whether all necessary protocols and rules have been followed, and are being followed. It might also be worth discussing a comprehensive data audit with your CISO. Such an audit is fundamental because you’ll need to discover what information your company handles that could create liabilities under the GDPR. The GDPR is very inclusive in its scope, so a data audit should look at all platforms, device types and departments. 

5) What is the company’s response plan in the event of a successful cyberattack? 

I firmly believe that the harsh reality is – it’s not a matter of ‘if’, but ‘when’ an attack will happen. No matter how solid your cybersecurity measures, security perimeters can and will be breached.  

Here’s where incident response planning and disaster recovery strategies come in. These strategies should essentially ensure business continuity, i.e. recover with minimal loss in the event of an incident. Additionally, they will also set a process in place to save mission-critical data from being stolen and/or destroyed. 

Ask your teams what plans they have in place for when disaster strikes - and this should include handling unscheduled system downtime that occurs due to natural events, such as bad weather. What plans are in place to help you and your employees detect incidents quickly, to lessen the impact, and return your business to normal as soon as possible? Who is accountable when such incidents happen? Are their roles and responsibilities clear? How long does it take for systems to be up and running? In the event of a data breach, how soon should the company disclose it, who to, and what do those communications look like?  

As CEO, your employees will probably be looking up to you for guidance in the event of a disruption to their IT systems. As such, it’s key that you are clear on what to do and how to advise them to proceed in such turbulent times. Planning and forethought are crucial to avoid making rash decisions on the run, in the heat of the moment. We all know how frantic these situations can be, so every bit of advance planning that you can do now, with a clear mind will be time well spent when a breach does occur.  

Poor decisions under pressure may even make a bad situation worse. As the saying goes, “Failing to plan, is planning to fail.”  

6) Do we truly have an organisational culture that is cyber resilient? How can we spread more cybersecurity awareness among our teams? 

Combating cybercrime via collaboration and shared knowledge is a tactic that is only growing stronger with time. Just like it’s key for CEOs and business leaders to break through the culture of denial, and share our struggles with the wider business community, it’s also key for there to be a strong cybersecurity culture within organisations.  

Ask your CISO to suggest ways your company can strengthen its security stance. You should call on all corners of your business, from sales through to operations, marketing, finance and IT. They all have a role to play in protecting your operations, your data, and your firm’s reputation. 

Enquire about where the current gaps are and what sort of cybersecurity training needs to be provided. This includes understanding how cybersecurity in itself is perceived by the rest of the business to gain a more holistic view of your staff’s approach towards the field. 

Educating the team on what sort of attacks to be on the lookout for (especially in emails) can come in the form of security training, weekly security meetings, email updates, and more. 

Awareness can be targeted at the department level, such as educating HR about their importance in the field of employee data security

Basically, work together with your IT and Infosec teams and leverage their technical understanding and awareness of the current organisational culture to empower the rest of your employees to think of themselves as the first line of defence.  

It is true that boards and CEOs aren’t expected to be experts across all subjects. They do, however, need to govern decisions concerning risky tech deployments, question IT teams with their own unique perspective and to monitor the effectiveness of counter-measures for future decision making. 

Your IT and Infosec teams, along with the rest of your organisation, will benefit immensely from such a strategic and informed top-down dialogue. While there are likely to be specific areas of concern for organisations beyond these six key discussion points, these can serve as starting points for you to think about when planning that conversation with your CISO.  



Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.