A 2026 security checklist for CEOs to sleep at night

CEOs are in a complex quandary on information security. On the one hand this is a topic requiring deep technical expertise which is (usually) outside the wheelhouse of CEOs, unless they head up a security tech company. On the other hand, it has become abundantly clear that in the court of public perception (and for that matter, the court of law), it is considered a CEO’s personal responsibility to ensure that appropriate protections are in place to protect the information of a company’s customers – particularly consumers. No CEO wants to end up on the front page of the newspaper or sued for negligence over a breach. Recent incidents should serve as sufficient motivation:

• SolarWinds – A massive “supply chain” espionage attack detected in 2020. Russian hackers compromised a software update used by 33,000 customers, infiltrating the highest levels of the U.S. government (including the Treasury and Pentagon) and major corporations for months before detection.
• Colonial Pipeline – The most consequential cyberattack on U.S. energy infrastructure in history. A ransomware attack in 2021 forced the shutdown of a pipeline carrying 45% of the East Coast’s fuel, triggering panic buying, gas shortages, and a state of emergency across 17 states.
• Shanghai Police Database – Likely the largest privacy breach in human history. In 2022, a hacker offered to sell a database containing the names, addresses, government IDs, and criminal records of 1 billion Chinese citizens (nearly 70% of the country’s population) for just 10 Bitcoin.
• MGM Resorts – A text-book example of “social engineering” in 2023. Teen hackers (Scattered Spider) called the IT helpdesk pretending to be an employee to reset a password. The resulting ransomware attack shut down slot machines, hotel room keys, and elevators in Las Vegas for 10 days, costing MGM over $100 million.
• Change Healthcare – The most damaging attack on U.S. healthcare to date. In 2024, ransomware crippled the largest payment processor in the medical industry. It paralyzed billing for hospitals and pharmacies nationwide for weeks, forcing providers to take out loans to pay staff and leaving patients unable to fill prescriptions.
• Ticketmaster / Snowflake – A massive cloud storage theft in 2024. Hackers bypassed security on a Snowflake cloud account to steal the details of 560 million Ticketmaster customers, including ticket sales, payment info, and customer names, demanding a $500,000 ransom.
• National Public Data – A background-check company was breached in 2024, leaking 2.9 billion records. Unlike other breaches, this included unencrypted Social Security Numbers for hundreds of millions of Americans, effectively compromising the identity infrastructure of the entire U.S. adult population.
• Equifax – 146 million customers’ detailed credit records and social security numbers were breached in 2017. A breach of one of the three major credit bureaus exposed Social Security numbers and credit histories of nearly half the U.S. population due to a failure to patch a known software flaw.
• Maersk/Merck/FedEx (NotPetya) – Originally a Russian attack on Ukraine in 2017, this “wiper” malware escaped and caused $10 billion in global damage, including impacts to Merck, Fedex, and shutting down Maersk shipping terminals worldwide.
• Marriott/Starwood – 500 million customer records breached in 2018, including birthdates and passport details. Hackers lived inside the Starwood reservation system for four years, stealing passport numbers and travel itineraries.
• Capital One – 100 million customers credit card details and histories were breached in July 2019. An insider hack that exposed raw financial details and credit scores of millions of applicants.
• Anthem Health – 80 million customers’ identity and health insurance records were breached in 2015. The first massive theft of highly sensitive medical history and insurance IDs, exposing customers to lifetime medical fraud risks.
• Sony Motion Pictures – hacked by a group working with North Korea. Hackers wiped servers and leaked unreleased films and embarrassing emails to coerce Sony into cancelling a movie about Kim Jong Un.
• Yahoo – 3.5 billion account details breached in 2013–14. The largest data breach in history by sheer volume, affecting nearly every user on their system.

 

Like many CEO responsibilities, the key is to put the right team in place – whether permanent employees or outside partners providing IT guidance for the executive team. But how can a CEO without technical security expertise know whether their security team and program protect them in every way they should? How can a modern-day CEO sleep at night when considering information security?

Our team of expert C-level consultants has consolidated this list of main components which should be included in an effective information security program.  A summary list of this kind is, of course, no replacement for deep research nor any insurance that protections put in place will function as intended.  But for CEOs wanting to get some sleep at night, it does at least provide fodder for a good conversation with your head of IT, and possibly a reason to engage an outside expert for C-suite IT advice…

 

Perimeter & Identity Security

• Multi-factor authentication (i.e. requiring app/text PIN + password, at minimum for remote system access)
• Complex password requirements (more important than reset frequency)
• Physical security in Data center(s), Business location(s)
• Perimeter Firewall(s) (+ geography filter if possible – at minimum, “impossible travel” blocks) *
• Wireless network security, access control. Separate the “guest” network (if any at all) *
• Intrusion Detection/Prevention (at minimum, access/VPN audit log reviews* or SIEM log alerting)
• Regular port-scans/penetration testing *
• Secure website and web services architecture (no SQL injections, etc.) *
• Audit of key software vendors’ security standards (Supply Chain Risk)

 

Email Security

• Email virus, spam blacklist filtering
• Email domain spoofing/phishing protection *

 

Device Security

• Endpoint PC virus/malware protection *
• Server virus/malware protection *
• Server & Endpoint patching, configuration management *
• Mobile device security, mobile wipe on loss/theft

 

Access Controls

• Cloud Security monitoring (+ geography filter if possible – at minimum, “impossible travel” blocks)
• Application access level controls, “toxic combination” audit *
• Privileged Administrator/Service account password process/tool *
• Regular Network account audit, contractor timed expirations *

 

Data Security

• Complete server/cloud backups daily (PLUS near real-time replication even better.  PC backups for key personnel even better) *
• Secure disposal/recycling of used equipment
• Encryption of all data at rest for SSNs/CCs/Banking/identity data
• “Quantum-Resilient” Inventory: Identify which long-term sensitive data (data valuable for 10+ years) is currently encrypted with standards that quantum computers will break. (The risk is “Harvest Now, Decrypt Later” – hackers stealing encrypted data today to unlock it when the tech arrives).

 

Staff Training

• Business staff security training/reminder program *
• Administrative account holders cybersecurity training

 
* several of these suggested controls are part of the Center for Internet Security (CIS) controls

 
If your IT leaders have good solutions in place covering these “threat vectors”, and have a way to know that protections are functioning correctly, they are covering the basics, and you should at least be able to sleep at night.  On the other hand, the absence/failure of any one of the line items listed above can open your organization to risk.  If any of these protections need to be installed or upgraded, or if you’d like an outside perspective on any unique risks to which your organization may be exposed, please contact us to explore how our experts can offer a deeper analysis.