Ask Your Security Team These Questions in 2018

Published by

Corey E. Thomas

As a society, we must address cyber-risks from every angle: every technology or Internet user must be educated so they can better secure themselves. As business leaders, we bear this responsibility not only for ourselves, but also for our teams, colleagues, and organizations.

To help get you started, here are some questions I recommend you ask your head of security. I also highly recommend that, regardless of your role on the board, you get to know your security team. Help them understand how board-level oversight of risks works, and meet them with an open, inquisitive mind so they can educate you on security concerns and implications.

1. Does the security team have a full, well-informed view of the organization’s security posture?

One of the most fundamental challenges organizations face when it comes to security is getting full visibility of the technology assets being used across the organization and their associated risks.

You can’t defend something if you don’t know that you have it. Finding that one key weakness that provides the perfect opportunity for an attacker can be like finding a needle in a haystack.

It can also be challenging for security professionals to cut through the noise in the security industry to focus on the most relevant core threats. Doing so will enable them to focus their time, resources, and investments in areas that will have maximum impact for your organization.

Here are some additional questions you can ask:

  • Which threats are most relevant to the company, and which assets are most vulnerable, and which are most likely to be targets? Ask the security team to explain their answers.
  • Does the security team share threat information with security teams at other organizations of a similar profile?
  • Does the security team have full visibility and control of our entire technology environment, including assets we lease rather than own? Does the team have a detailed inventory of key assets, who is using them and how, and what known risks relate to them?
  • Is the security team part of the procurement process for all technology products and services? Do they vet technology vendors on the security of their products or services? Do they investigate the vendor’s practices for reporting and patching vulnerabilities?
  • Does the security team know who has access to what applications and services? Have they locked access down as far as possible, so people only have the privileges needed to perform their day-to-day role?

2. Is our organization resilient to attack?

Companies are under attack daily, either from automated, internet-wide attacks, or from more targeted and determined attacks. It is important to ask your security team questions about the security measures they have in place to reduce the likelihood and impact of a breach. There is no such thing as a silver bullet or impenetrable force field that will perfectly protect your organization. The key is to ensure your organization is taking a multi-faceted, layered approach that leverages technology, people, processes, and policies together for maximum effect. Your security team should be focusing their limited resources on actions that most reduce the risk associated with the greatest threats to your organization.

Take this opportunity to have your head of security explain why they made the trade-offs they did, and how those decisions could impact the business. Make sure they are aligning their decision making with overall organizational goals, compliance requirements, and real technical risks.

  • Is all company and customer data encrypted at rest and in transit? If not, which data is being encrypted and when?
  • Has the security team segmented the company’s networks to reduce an attacker’s ability to move through the network and reach valuable assets?
  • Does your organization regularly back everything up to reduce susceptibility to ransomware attacks? Do you run regular backup and restore drills?
  • Do you know how susceptible our employees are to phishing? Are you investing in education programs to raise security awareness?
  • Do you have multi-factor authentication in place on all of our technical services and applications?
  • Does the organization have cyber insurance to help it recoup any costs of a security incident? Which scenarios or factors are not covered by the insurance?

3. Is the security team confident it can detect and respond quickly to security incidents?

According to the 2017 M-Trends report, it takes an average of 99 days for organizations to discover attackers in their networks. The longer an attack goes undiscovered, the greater the likely harm will be, so it is critical that your organization is able to detect and respond to security incidents quickly. Full visibility across all technical assets, properly stored and analyzed logs, and sufficient manpower to investigate alerts in a timely manner are all essential ingredients for quickly detecting security incidents.

A properly coordinated response will likely involve representatives across the business, so it is important that your board and security team understand what roles each department plays in a response.

Some relevant questions include:

  • Does the security team map normal behavior (both for human users and machine entities) on the network? Are they able to detect anomalous behavior?
  • Is the security team able to investigate and verify alerts quickly? Do they have sufficient resources committed to monitoring systems that alert suspicious activity?
  • How quickly could the security team investigate a potential breach or determine which technology assets and users may have been compromised? Does the security team have sufficient visibility across all technical assets to investigate fully? Does the security team log any information that would be needed to investigate a security incident?

Does the company have an incident response plan in place, with roles clearly defined and understood across the organization (including legal, finance, communications, IT, customer support/engagement etc.)? When was the last time the company ran an exercise to test its preparedness and response? Who is responsible for driving this initiative in the organization?

4. How do you measure the effectiveness of our cybersecurity program and initiatives?

Testing and verifying the effectiveness of your security program and initiatives is part of many industry cybersecurity compliance requirements. It also a pragmatic measure that helps your organization understand where it needs to make investments, and how resilient it really is to attack. A key part of this review is engaging security professionals to penetrate the company’s infrastructure to test for vulnerabilities. This will help you understand the efficacy of your defenses, hopefully uncover the opportunities attackers may spot, and investigate the potential outcomes of an attack.

Some questions to ask your security team include:

  • Is the security team proud of the company’s patching program? Do they feel adequately supported by the IT team in their efforts?
  • Who is responsible in the organization for initiating testing of organization-wide breach readiness?
  • How frequently does the security team test the company’s defenses for effectiveness? Do they hire external security consultants to try to penetrate the network and facilities?
  • Is the security team able to track progress over time?
  • Does the security team have a view of the maturity of its program? Is there a clear roadmap for future progress?
  • What measures has the security team taken in the past six months to improve security posture? What results have they seen? How will they adjust the program moving forward?

5. Do political or financial considerations impact your ability to protect the organization effectively?

It’s the reality of every business that budgets and other resources are not limitless. Investment must be proportionate to the business growth and context. However, it is also worryingly easy to overlook financial or political constraints that can hamstring your security program. You do not want to become aware of fixable limits on the security program at the point that you are reeling from a security incident.

The challenges of internal politics may also hold your security program back and expose your business to unnecessary risk. Investigate the structure of your security organization, its reporting line, and its standing with key partner departments in the business such as IT, engineering, and legal.

Investigate any barriers that are limiting the effectiveness of the security program now, discuss them in an open environment with the organization’s leadership, and make informed decisions on how to move forward based on a realistic view of your organization’s risk tolerance and budget.

  • Are there any budgetary or political roadblocks to implementing foundational security controls?
  • Does the security team have adequate headcount and resources? How is the answer to this question determined? If not, in which areas are we below critical mass?
  • Does the head of security have the opportunity to be heard among the most senior executives in the organization?
  • Do the business leaders across the company truly understand the potential costs and implications of the business of being breached? Do they discuss risk tolerance and prioritization payoffs in an open, strategic way? Do they build resilience plans based on these discussions?
  • Is security considered an audit function, or does the organization strive to build security into its products, services, and operations by design?

Security is complex, constantly evolving, and often unfortunately viewed as a drain on the business. Yet the benefit and necessity should be clear: having an effective and well-managed security program is key to minimizing risk and building resilience for your organization. Every part of the organization must play a role in this, and must understand the security priorities for the organization—and that responsibility extends to the boardroom.

Corey Thomas is CEO, president, and a member of the board of Rapid7. 

CES Tour Reveals Trends and Innovations That Will Reshape Business

Published by

Shelly Palmer guides directors through the show floor.

At the conclusion of day two of NACD and Grant Thornton’s board-focused experience at the 2018 Consumer Electronics Show (CES), my feet are throbbing, my head is spinning, and I have a clearer picture of what the future holds thanks to a much sought-after spot at Shelly Palmer’s breakfast lecture on innovation and future trends, which was followed by an exclusive, small-group tour of this colossal show—some 3,900 exhibitors in all.

According to Palmer, the next-generation automobiles displayed by Mitsubishi, Nissan, Ford, and so many other companies raises the following question: How will we move—or want to be moved—from point A to point B?

“What does it mean to get from here to there? Uber is already self-driving. I push a few buttons and the car shows up,” Palmer said as he took us through the North Hall of the Las Vegas Convention Center—home to what has been dubbed the world’s largest auto show.

Among the flashier electric vehicles on display was the Mercedes-AMG Project ONE Showcar, an electric hybrid Formula 1 race car. While only 275 of these cars will be made, the technology applied in its engineering eventually could end up in your self-driving car. AI might also sneak its way in. (To see more about the implications of AI, watch Erin Essenmacher’s interview with data scientist J.T. Kostman.)

Palmer also highlighted the following provocative insights to the directors in our tour group:

  • Smart speakers are among the fastest-adopted technologies, having achieved 50-percent penetration in U.S. homes in just three years.
  • Any device powered by electricity will be voice-controlled.
  • While Amazon is not exhibiting at this year’s show, its presence was abundantly visible through some 30,000 examples of apps compatible with its Alexa device.
  • Companies that may be considered old-line—Blackberry, Honeywell, ADP—have reinvented themselves through their understanding and embrace of technology that makes us more secure. “Security,” Palmer said, “is the gateway drug to home systems.”
  • At Honda’s booth, spectators were charmed by an adorable three-foot robot. The Japanese automaker discovered after the devastating tsunami in 2011 that children responded to the robot, which is capable of expressing empathy. “Americans have no interest in this,” Palmer said, adding this nugget: “Robotics are way ahead of anthropology and sociology.”
  • Chinese companies are the world’s leader in artificial intelligence. Google and Facebook lead in America. The presence of Chinese companies exhibiting at CES was a quantum leap over last year.
  • Some 15 million American homes have cut the cable cord and instead have roof antennas for TV service. So how can Comcast expect to flourish? The broadband giant will provide its customers the ability to connect various Internet of Things technologies that can be controlled through its voice remote.

More insights from CES and directors’ impressions of the governance implications raised by some of what they experienced will be covered in the January/February 2018 issue of NACD Directorship magazine. You can also watch the video below of NACD Chief Programming Officer Erin Essenmacher discussing AI with data scientist J.T. Kostman.

The Future Is Now at CES

Published by

The 2018 Consumer Electronics Show (CES) opened to the public yesterday in Las Vegas. With over 3,900 exhibitors from 29 countries, there is a lot to absorb.

For a group of some 40 directors, a sneak peek of CES given courtesy of the National Association of Corporate Directors (NACD) and Grant Thornton LLP provided a focused beginning to a three-day exploration of new technology—from robots to self-driving cars and augmented reality to smarter cities—and the implications for corporate governance.

To see more highlights from the floor, click here.

For Grant Thornton, supporting NACD’s first CES Experience underscores the accounting firm’s position “as a challenger brand in the marketplace,” said Michael Desmond, a partner and National Audit Industry & Growth Leader at Grant Thornton. “Being here at CES with a group of directors allows us to support our partnership with NACD and continue our reach into the marketplace at the C-suite and board levels. At the same time, this is where forward thinking and innovation are on display and all of these elements converge.”

Accompanying Desmond was David Wedding, a Grant Thornton partner who also chairs the firm’s board. “I’m here as a director myself and we, of course, are facing disruption in our industry from the impact of technology just like our customers. It will be interesting to see what’s trending and how other directors assess the ramifications of what we see.”

Maureen Conners, a director of Fashion Incubator in San Francisco and NACD’s Northern California Chapter, and former director of Deckers Brands, has been attending CES for at least 15 years. “The best advice I would give to any one coming to CES is not to be afraid to ask the dumb questions,” she said. Conners worked in product development at Gillette, Levi Strauss, and Mattel and started attending CES when as a consultant she helped Polaroid launch its first digital camera. She spoke of how seeing a driverless car maneuver onto a stage during an Intel presentation on Monday night stirred questions for her about how they will ultimately be used.

“I must admit it’s different seeing it in person,” she said.

Liane Pelletier, a director who was on the tour, serves on the boards of ATN International, Expeditors International, and NACD’s Northwest Chapter, echoed that sentiment: “It’s one thing to read about discrete enabling technologies that can disrupt our companies, and it’s entirely different to see and envision all of the use cases.”

Some of the other new products that stand to have industry-altering impacts included: a concept bed from Reverie that adjusts itself based on brain-wave activity; a self-driving Lyft vehicle; and a plush Aflac duck robot with three patents pending that uses a mixed-reality app to help comfort kids coping with cancer.

Come back tomorrow for additional coverage of NACD and Grant Thornton’s board-focused CES Experience.