CEOs are in a complex quandary on information security. On the one hand this is a topic requiring deep technical expertise which is (usually) outside the wheelhouse of CEOs, unless they head up a security tech company. On the other hand, it has become abundantly clear that in the court of public perception (and for that matter, the court of law), it is considered a CEO’s personal responsibility to ensure that appropriate protections are in place to protect the information of a company’s customers – particularly consumers. No CEO wants to end up on the front page of the newspaper or sued for negligence over a breach. Recent incidents should serve as sufficient motivation:

Like many CEO responsibilities, the key is to put the right team in place – whether permanent employees or outside partners. But how can a CEO without technical security expertise know whether their security team and program protect them in every way they should? How can a modern-day CEO sleep at night when considering information security?

Our team of expert C-level consultants has consolidated this list of main components which should be included in an effective information security program.  A summary list of this kind is, of course, no replacement for deep research nor any insurance that protections put in place will function as intended.  But for CEOs wanting to get some sleep at night, it does at least provide fodder for a good conversation with your CIO and CISO…

 

Perimeter Security

  • Physical security in Data center(s), Business location(s)
  • Perimeter Firewall(s) (+ geography filter if possible – at minimum, “impossible travel” blocks)
  • Intrusion Detection/Prevention (at minimum, log reviews)
  • Regular port-scans/penetration testing
  • Secure website and web services architecture (no SQL injections, etc.)

Email Security

  • Email virus, spam blacklist filtering
  • Email domain spoofing/phishing protection

Device Security

  • Endpoint PC virus/malware protection
  • Mobile device security, mobile wipe on loss/theft

Access Controls

  • Multi-factor authentication (i.e. requiring text PIN + password – at minimum for remote system access)
  • Cloud Security monitoring (+ geography filter if possible – at minimum, “impossible travel” blocks)
  • Complex password requirements (more important than reset frequency)
  • Application access level controls, “toxic combination” audit
  • Privileged Administrator/Service account password process/tool
  • Regular Network account audit, contractor timed expirations
  • User security training/reminder program

Data Security

  • Complete server/cloud backups daily (replication even better.  PC backups for key personnel even better)
  • Secure disposal/recycling of used equipment
  • Server virus/malware protection (encryption of all data at rest if possible, SSNs/CCs/Banking/identity data at minimum)

 

If your IT leaders have good solutions in place covering these “threat vectors”, and have a way to know that protections are functioning correctly, they are covering the basics, and you should at least be able to sleep at night.  On the other hand, the absence/failure of any one of the line items listed above can open your organization to risk.  If any of these protections need to be installed or upgraded, or if you’d like an outside perspective on any unique risks to which your organization may be exposed, please contact us to explore how our experts can offer a deeper analysis.