According to a recent Cloud Security Alliance survey, security of data in the cloud is now an executive-level and board-level concern for 61% of companies. That means CIOs and CISOs need to be prepared to educate non-technical executives about what their organization is doing to protect sensitive data in the cloud. There are two things driving increased interest from executives and board members. First, they hear about how the cloud can reduce cost and improve the company’s competitive advantage. Second, everyone is keen to avoid a serious data breach like the one at Target that reduced the company’s quarterly profit by 46 percent.
Increasingly, the CIO and CISO are asked to present summaries of cloud usage and cyber security threats at board meetings. It’s not enough to know the answers to frequently asked questions, the trick is preparing to explain them for an audience that doesn’t have deep knowledge about firewalls, encryption, or even what apps employees are using. We’ve compiled the 7 most frequently asked questions by the CEO or board of directors so you can start preparing for these conversions. Even if you’re not a CIO or CISO, if you work in IT it’s likely your CIO or CISO will come to you to answer these inquiries. If you’re asked to present, download the free template below to get started.
1. What are the top security threats facing our company?
Companies face many different threats today. Executives and board members hear about malware, advanced persistent threats, compromised accounts, and insider threats in the news. They may not know what they are, how they can impact the company, and what you’re doing to reduce the risk of these threats. Spending time each quarter reflecting on your top security challenges can also help focus where your team spends time and resources on the threats that really matter.
2. What security framework does our company use?
Regulated companies often follow a security framework laid out in a compliance regulation. PCI DSS, HIPAA, and other regulations have strict security requirements for how sensitive data can be handled and who can access what information. Your company may also use a framework such as COBIT to organize your security and governance initiatives. The important takeaway for executives and the board is that the company uses an industry-accepted approach to its security, which shows you’re doing the right things when it comes to protecting the company.
3. What cloud services does our organization use and how risky are they?
Even if your board members don’t use Salesforce, Dropbox, Evernote, or Apple iCloud – no doubt they’ve heard of them before. Some executives want to know what the company’s plan is to take advantage of the cost benefits of cloud – they may question when the company is going to migrate from Siebel to Salesforce. More often, you’ll hear questions about cloud usage surrounding news of a major breach from a major cloud provider. Knowing what cloud apps your company uses, who uses them, and what type of data is stored them is essential. If you lack this knowledge today, it’s time to put a plan together to gain visibility into sanctioned and unsanctioned (shadow IT) cloud usage at your company.
4. What sensitive data is in the cloud and how is it being secured?
Companies with regulated data need to take steps to ensure they don’t violate any compliance regulations like PCI DSS, HIPAA-HITECH, or GLBA (amongst many others). Even if you’re one of the few companies doesn’t have to follow any regulations, you likely have sensitive intellectual property or customer data that you cannot afford to have exposed. It’s much easier to take an audit of sensitive data in the cloud before a major breach than it is once a cloud service has been compromised. Along with mapping what data is stored where, executives also want to know what steps are being taken to secure that data. Is it encrypted? How do we stop sensitive data from leaving the company? How do we know when a breach has occured (before it’s news)?
5. How is cloud governance managed within the organization?
Executives and the board are looking for a clear division of responsibility. Who is responsible for setting policies? What group is responsible for ensuring policies are being appropriately enforced? If there’s a cloud governance committee, who is on the committee? Does the CISO or the head of audit have ultimate responsibility for assessing the security controls of the cloud services used to store corporate data?
6. How do employees learn about security threats and company policies?
The best policies and procedures aren’t very effective unless employees follow them. CIOs and CISOs are frequently asked what the company is doing to inform employees about the risks posed by some cloud services, and what they should do to stay in compliance of company policies and external regulations. Does your company have a security awareness training program? Is information on your policies accessible on your intranet? Perhaps most importantly, do employees have good alternatives if their preferred app does not meet company policies?
7. In the event of a data breach, what is our incident response process?
The last thing you want to happen is for a breach to occur and find out weeks later when a third party notifies you. The failure of Target to identify and stop the breach of millions of credit card numbers ultimately led to its CIO and CEO resigning. You should be able to explain what the company is doing to detect breaches early. Once a breach is detected, what is the company’s response process to quickly stop the breach, assess the damage, formulate a strategy, and notify customers?