A security checklist for CEOs to sleep at night

Cybersecurity checklist

CEOs are in a complex quandary on information security. On the one hand this is a topic requiring deep technical expertise which is (usually) outside the wheelhouse of CEOs, unless they head up a security tech company. On the other hand, it has become abundantly clear that in the court of public perception (and for that matter, the court of law), it is considered a CEO’s personal responsibility to ensure that appropriate protections are in place to protect the information of a company’s customers – particularly consumers. No CEO wants to end up on the front page of the newspaper or sued for negligence over a breach. Recent incidents should serve as sufficient motivation:


Like many CEO responsibilities, the key is to put the right team in place – whether permanent employees or outside partners providing IT guidance for the executive team. But how can a CEO without technical security expertise know whether their security team and program protect them in every way they should? How can a modern-day CEO sleep at night when considering information security?

Our team of expert C-level consultants has consolidated this list of main components which should be included in an effective information security program.  A summary list of this kind is, of course, no replacement for deep research nor any insurance that protections put in place will function as intended.  But for CEOs wanting to get some sleep at night, it does at least provide fodder for a good conversation with your head of IT, and possibly a reason to engage an outside expert for C-suite IT advice


Perimeter Security

  • Physical security in Data center(s), Business location(s)
  • Perimeter Firewall(s) (+ geography filter if possible – at minimum, “impossible travel” blocks) *
  • Wireless network security, access control. Separate the “guest” network (if any at all) *
  • Intrusion Detection/Prevention (at minimum, access/VPN audit log reviews* or SIEM log alerting)
  • Regular port-scans/penetration testing *
  • Secure website and web services architecture (no SQL injections, etc.) *

Email Security

  • Email virus, spam blacklist filtering
  • Email domain spoofing/phishing protection *

Device Security

  • Endpoint PC virus/malware protection *
  • Server virus/malware protection *
  • Server & Endpoint patching, configuration management *
  • Mobile device security, mobile wipe on loss/theft

Access Controls

  • Multi-factor authentication (i.e. requiring app/text PIN + password, at minimum for remote system access)
  • Cloud Security monitoring (+ geography filter if possible – at minimum, “impossible travel” blocks)
  • Complex password requirements (more important than reset frequency)
  • Application access level controls, “toxic combination” audit *
  • Privileged Administrator/Service account password process/tool *
  • Regular Network account audit, contractor timed expirations *

Data Security

  • Complete server/cloud backups daily (PLUS near real-time replication even better.  PC backups for key personnel even better) *
  • Secure disposal/recycling of used equipment
  • Encryption of all data at rest for SSNs/CCs/Banking/identity data

Staff Training

  • Business staff security training/reminder program *
  • Administrative account holders cybersecurity training

* several of these suggested controls are part of the Center for Internet Security (CIS) controls

If your IT leaders have good solutions in place covering these “threat vectors”, and have a way to know that protections are functioning correctly, they are covering the basics, and you should at least be able to sleep at night.  On the other hand, the absence/failure of any one of the line items listed above can open your organization to risk.  If any of these protections need to be installed or upgraded, or if you’d like an outside perspective on any unique risks to which your organization may be exposed, please contact us to explore how our experts can offer a deeper analysis.