CEOs: Top four things you should ask your CTO

This is a contributed piece from Jeremy Rasmussen, CTO of Abacode

In an ideal world, CEOs would have nothing to do but focus on growing their business, and no one would try to steal sensitive data by hacking into online networks. However, we all know that this is far from reality.

The last few years have seen a sharp rise in the number of high profile cyberattacks, from Yahoo! to NHS England and Russia’s potential interference with last year’s US Presidential election. Yet even with cybersecurity making headlines across the globe on an almost daily basis, the vast majority of business leaders are still not making it a priority – because they don’t know how.

The reason for this is often lack of technical knowledge on behalf of executive leadership. Historically, CEOs simply cede all responsibility to the IT department to oversee not only IT but cybersecurity as well. However, as today’s cyber-attacks become increasingly more sophisticated and regulatory sanctions tougher than ever before, this practice simply isn’t appropriate or effective. IT experts are not necessarily cybersecurity experts, and proper governance necessitates a separation of duties.

Does the CISO role need to be formalised? 18 security experts share their views on whether the role of CISO should be more regulated.

CEOs must get a hold of their cybersecurity situation, and quickly, before it’s too late. According to the British Chambers of Commerce Digital Economy Survey in April this year, one in five UK businesses has been hit by a cyber-attack in the last 12 months. Further studies have found that up to 67% of UK businesses were hacked in 2016. To combat this rising cyber-threat, CEOs must start having frank conversations with their internal IT teams. CEOs must lead the effort by asking the following questions:


When did we last do a full risk assessment?

All companies, regardless of size, have one thing in common – they are in a constant state of change. As new IT systems are deployed, new employees are brought on and applications start to be used by different teams for different tasks across the company, the amount and range of data collected and stored increases significantly. At the same time as this positive growth, hackers, disgruntled former employees and cyber-hackers are finding ever more creative ways to launch whole scale cyberattacks.

In this fast-paced and ever-evolving world of business, even detailed and carefully considered risk assessments can become outdated in very short amounts of time. Ensuring risk assessments are up to date should be an ongoing task, and not one necessarily completed internally. It can be easy to overlook potential risks when you work in an environment every single day. Having a trusted Managed Security Service Provider (MSSP) will ensure that your risk assessments are always relevant.

A full risk assessment gauges your security posture now and can be leveraged to develop a get-well plan. Don’t wait until your transition is complete to assess risk. Security must be baked in from the start, rather than bolted on at the end.


Do we have visibility (24/7 monitoring) of our networks?

The most common choice for cybersecurity is installing firewalls and antivirus. While these protections block certain types of threats, they have serious limitations. From abusing human nature to access networks to phishing scams, firewalls and antivirus are often not up to the task required of them today. Further, they don’t always provide alerts to when a cyber-attack has been attempted. Meaning many business leaders are in the dark about their network’s security.

Best practice to address this lack of sight across a business network is to introduce host and network-based intrusion detection systems (IDS) combined with a security information and event management (SIEM) solution.  Since a SIEM generates a considerable amount of intelligence, you must combine it with a fully staffed and trained security operations centre (SOC) to monitor the network 24/7. In accordance with an incident response plan, executive staff will always be informed when a high-profile attack has taken place. Having this foresight enables business leaders to be proactive in their cybersecurity.


Will we be GDPR compliant when the new regulations come into play?

By now all CEOs will know about the EU’s emerging General Data Protection Regulation (GDPR) that takes effect on 25th May 2018. But how many are confident that they will be compliant by then? To move toward being GDPR-compliant, companies must have the appropriate governance policies in place.

Nearly 90% of companies have poor governance structures with regards to cybersecurity according to research conducted by the UK government. More often than not, internal IT departments are responsible for evaluating and governing their own cybersecurity systems. This is akin to asking an accountancy firm to carry out an audit of itself – which simply wouldn’t happen! A shake-up in this practice needs to take place and appropriate organisational structures need to be implemented by all businesses. Otherwise, companies run the risk of not only leaving themselves open to cyberattack but also to huge non-compliance penalties.

GDPR will necessitate not only proper governance but also understanding the who, what, where, when, how, and why of your data. On whom are we collecting private data, where is it stored, how long do we keep it, how do we secure it, and why are we collecting it – all firms will require this level of privacy audit and construction of a plan to security the data.


Do we have the right skill set to deal with increasingly sophisticated cyberattacks?

According to the International Information System Security Certification Consortium, or (ISC)², there will be a 1.8-million-person shortage in cybersecurity talent worldwide by 2020. Recruiting, training, and retaining cyber talent is a difficult proposition, and requires significant investment.

CEOs who are serious about safeguarding their companies’ data from cyberattack must begin putting their money where their mouth is. Likely you’re not going to be able to maintain a full cyber team; so engaging with a trusted MSSP to review your security architecture and implement and monitor protective countermeasures is likely the winning strategy.


With cybersecurity one of the biggest threats to businesses right now, CEOs must start putting it at the top of their agendas. This has to start with talking to their CTOs and Heads of IT on the current status of the networks and asking important but often difficult questions. However, once these questions have been answered, and new systems put in place, undoubtedly the company’s cyber health will be greatly improved. 


« Checklist: Tools to see into AWS infrastructure


Should CIOs take employees offline to improve security? »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?