6 Questions To Ask Your CIO

Apr 11, 2011 Departments, Governance 0

---

By David J. Lineman

One of the growing business risks facing companies today is the possibility of a damaging data breach or cyber attack. Since 2005, over 3200 reported breaches have exposed over 500 million records, generating millions in fines and hundreds of embarrassing headlines. So how can board members know if their management team is managing these risks?   While information security is a very technical subject, Board members can still hold senior management accountable to some key principles.  Below are six questions you can ask the CIO of any organization you are advising to gauge his or her understanding of some common IT security risks. 

1.  Do our security policies cover mobile and social media?

Most of us are carrying more computing and storage power in our phones than we had in the first desktop PCs, and studies show that over 90 percent of us have some type of sensitive information on them.  As the number of social media users grows past 1 billion, corporate data is also ending up on social networking sites.  The use of mobile and “social” technologies by employees is one of the greatest risks to corporate data, and yet many companies fail to address these in their written information security policies.  A 2010 survey of over 1200 organizations [by IT Toolbox] showed that and less than 60 percent have security policies that address mobile devices and less than 40 percent have policies on the secure use of social media. Addressing these two areas is critical to protecting the flow of information in and out of your organization.

2.  Are we sure ALL of our employees and contractors have been trained in basic information security principles?

Every study of data breaches for the last 15 years has shown that from 80-90 percent of all major breaches involve human error.  And yet most organizations spend less than one percent of their IT security budget on security awareness training.   This is perhaps the most lopsided statistic in all of IT.  While many organizations spend tens of thousands of dollars on technology, they fail miserably in educating their users.   A basic security awareness course can cost as little as $15 per user.  If your CIO is serious about reducing IT risk, then users have to be part of the equation.   As a Board member you can help by encouraging budget approval for this sorely overlooked way to reduce risk and show employees you care about security.

3.  Do we understand the risk of third-party vendors?

A growing number of security and privacy breaches now involve a third-party vendor or contractor that was entrusted with handling sensitive corporate data.  This risk is growing with the rapid adoption of “cloud” computing resources which are shared among tens or hundreds of companies.  Breaches by third parties are not only more common, but more costly.  Studies by Verizon indicate that breaches by third parties are the most costly – usually 65 percent more that those committed by internal staff.  To get a proper handle on information risk, your organization needs to understand which vendors handle your most sensitive data and how they protect it.

 4.  Are our legacy systems (including SCADA) included in our asset inventory?

Many organizations in the energy industry employ sophisticated control systems (also known as SCADA).  SCADA systems are used to control large machinery and generally run out in the field, away from the traditional IT management.  This means the security of these systems if often overlooked.  Over the last year, SCADA systems have become vulnerable to very sophisticated malware which can infect and even enable remote control of these systems.  To make sure these legacy systems are not ignored, ask if they are included in the official list of corporate IT assets.

 5.  How long would it take for our company to recover from a local disaster?

Hurricanes Ike and Katrina were a wake-up-calls to nearly every business in the Gulf Coast.  The large-scale flooding and power outages required tremendous recovery resources.  While some organizations were down for days or weeks, some never recovered.  Whether it’s a natural disaster or a cyber attack, business needs to be able to recover operations quickly.  This question will help you understand if the CIO has done some serious thinking about disaster recovery and business continuity.  Every organization should have a target recovery time for each key business process.

6.  What are the top two IT security risks and what specifically are we doing to address them?

If you are short of time in the Board meeting, you can skip questions 1-5 and ask just this one.  IT governance is about reducing risk.  This implies that the organization completes a formal risk assessment process, where the major IT threats to the organization have been documented and addressed.  If you get a specific answer to this question, it shows not only that risks have been identified and prioritized, but that business controls (such as policies and procedures) have been identified to reduce these risks.   If the response is anything like, “We’ll get back to you on that,” your IT ship might be sailing for a digital iceberg.

David Lineman is President of Information Shield, based in Houston. Information Shield provides information security policies, training and consulting to help organizations reduce risk and comply with regulations.

---