A Cybersecurity Checklist for Executives – Part 1
By Ben Hunter, III, CPA, CITP, CISA, CRISC, CFE, CISM
Cybersecurity is on everyone’s mind. We hear about it on social media, from local outlets, and even on the national evening news. But what can leaders do to help protect their organization? Too often the owners, directors, presidents, CEOs, etc. of small and medium sized organizations assume that the information technology team or outsourced vendor is taking care of the security. However, most of the information technology teams are not focused on security, because their systems are not alerting any current problems. It is very difficult to prove an activity is providing value by stating something is not happening (i.e. we have had no data breaches, therefore our cybersecurity team is doing a good job). It is human nature to want to provide value, and it is easier to show the speed and availability of the network. Therefore, information technology teams focus on speed, availability, and ease of use. That keeps users and the leadership of the organization happy. Leaders need to start moving the focus onto security, and the checklist I have created will help leaders do this.
Why a checklist? Checklists help us perform tasks without having to think about everything that needs to be done at once. A checklist organizes our thought process and helps us make sure we perform consistently. There are checklists for all sorts of activities. Airline pilots have pre-flight, in-flight and post-flight checklists. They also have emergency checklists that allow them to act without thinking and land a plane on a river (like Captain Sully did a few years ago). In our own lives, a checklist of people to notify in case of an emergency including neighbors, family members, doctors, veterinarians, and insurance agents can help. We even have checklists for items we should keep in our car for a winter emergency.
There are two types of checklists: Read-do and do-confirm. For a read-do checklist, you read each step of the task, and then perform them in order, checking them off as you go, like following a recipe. For a do-confirm checklist, you perform steps of the task from memory until you reach a defined pause point, and then you go through the checklist and confirm that each step has been completed. Or in the case of cybersecurity, someone else (IT team) performs the tasks and management then confirms the tasks are completed.
It’s an old cliché: “What gets measured gets done.” The origin of the statement is up for debate (some say it goes back to Rheticus in the 1500s!), and it seems that the original phrase was actually “If you can measure it, you can manage it.” Regardless of the origin or the wording, the message is clear: measuring something gives you the information you need in order to make sure you actually achieve what you set out to do. When your IT Department knows the organization’s leadership/management/those charged with governance will be looking at the items on this checklist, the IT Department will take them seriously. Here is the checklist :
- Hardware, Application and Cloud Inventory and Data Stored Thereon
- Risk Management Assessment
- IT Security Policy
- Backup and Restore Confirmation Reports of Essential Data
- Vulnerability Scan Reports
- Phishing Simulation Reports
We will discuss each of the checklist items in more detail in various installments of the BRC Newsletter, starting with the first checklist item in this installment:
- Hardware, Application and Cloud Inventory and Data Stored Thereon
There is a difference between having security controls and achieving the security objective. This seems to get lost in translation of the latest breach and what companies are doing to fix the mess after the breach. Let’s imagine an organization that focuses on data protection versus the next breach. Instead of talking about the new security technologies and security spending, the focus on data protection will lead the organization to decide what information is important to running the business, who should have access to it, and how it is protected. Notice the shift away from security controls (applicable to the entire dataset at the company) to a meaningful discussion regarding the information being most valuable to the mission of the business and how to protect it. Too often the focus in establishing security controls is to prevent the next breach, keep the organization out of hot water and save money if there is a breach. The more fundamental reason for security and privacy controls should be to protect the data from those who do not have a legitimate need to access the data and to enable the use of the data for those that require access to it, when they need it.
In order to focus on data protection, the organization has to know what data it has and where it is located. This is accomplished with a Hardware, Software, Application and Cloud Inventory. An organization needs to know what devices (whether they are physical, virtual or employee owned) are connected to its network. The organization also needs to know what software and applications are being used and what data those applications have access to. Management may need to perform interviews with its employees to find out what software is being used. The organization may have an approved list of applications, but employees are always looking for ways to do their job more efficiently and may have started using an application that management is not aware of. It is very important that the data is identified on this inventory. It is very important to know where (or on what devices) the data resides. This will then guide the security conversation and will help illuminate the risk tolerance of those charged with the governance of the organization. When pushed to identify the critical data, too often leadership takes the easy way out and claims ALL data is critical. Not only is this not true, but it clouds the conversation and impedes critical security progress. No company has enough money or resources to secure all data at the same level.
Look out for future installments of the BRC Newsletter for details on the remaining checklist items. Stay secure out there.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]