Big Picture

The Top 5 Questions CEOs Should be asking about Cybersecurity

George Finney

The news over the last few weeks have intensely covered one topic: cybersecurity. Colonial Pipeline reportedly paid $5 million to a ransomware group after their operations were shut down for nearly a week while part of the country reeled from a shortage of gas. And this was just one out of thousands of companies impacted by one type of cybercrime, just so far this year.

CEOs have reported that cybersecurity is one of their most significant challenge we face. And in 2021, PWC reported that almost half of all US CEOs reported increasing investments in cybersecurity, and almost a third of CEOs were increasing investments by double digits. So what are some questions CEOs should be asking about those investments?

I’m a Chief Security Officer at Southern Methodist University, a large private University in Dallas. I’m also the award-winning author of the bestselling cybersecurity book, Well Aware. It’s my job and my passion to help protect organizations, and there are 5 questions that I wish CEOs were asking when it comes to cybersecurity.

Where is our data?

You can’t protect what you don’t know about. Which is why the #1 recommendation from cybersecurity experts for the last decade has been to maintain an inventory. Your inventory should include where your data is and whether it’s secret or not.

Everyone should understand what data is important and what isn’t, just like the government has their secret and top-secret classifications. But you also need to know what devices you have and who they’ve been assigned to. You need to know what software is installed on those devices.

Do we “get” security?

Security is everyone’s job. In my book, Well Aware, I describe nine cybersecurity habits that we can focus on to help build healthy cybersecurity behaviors into our daily lives. I did hundreds of interviews with CEOs, lawyers, accountants, and other executives to find successful leaders who’ve made a difference in cybersecurity so that we can follow their examples. And what I found was that you don’t need to be a cyber expert to make a difference in security.

The best organizations when it comes to cybersecurity are the ones that don’t use fear to enforce their culture. The ones that were most successful used positive messages and had empathy for their employees, which helped everyone make a difference.

To “get” security means working together to solve problems.

Are we doing the “basics” right?

Not every organization uses the same technology the same way, so protecting your organization necessarily needs to be custom tailored to you. But based on the size and shape of your organization, there may be big differences in how you approach solving cybersecurity challenges.

One first consideration – where does cybersecurity belong in your organization? Is security some obscure group inside your Information Technology department? Is there a single person with responsibility for security like a CISO in place? There’s no one perfect organization chart for security, so for example, if your company only has 200 people, it might be better for you to use a virtual CISO who reports to a CIO or CFO rather than a dedicated employee because of the cost.

There may be different definitions of what the “basics” are, but here are a few examples:

  1. Maintain an inventory of all devices, software, and data – See #1 above. There are a number of software services that can help with this.
  2. Maintain a risk register– Make sure you’re tracking what your organizations biggest threats are and what you’re doing about it.
  3. Patch your computers – Yes, this is still on the list. Yes, it’s still a problem. It means taking time away from other things, it means taking down computers and temporarily inconveniencing staff.
  4. Run firewalls and antivirus – Modern security technology can go a long way towards protecting your organization. Chances are your old antivirus doesn’t protect you from ransomware, and you should ask for metrics on how effective these controls are.
  5. Logging – Everything a computer does creates a log, and those logs should all be stored centrally for as long as is possible, usually around a year.
  6. Penetration Testing – Hire “hackers” to scan your networks to proactively look for potential issues before they are used against you.
  7. Incident Response – If you have to figure out what to do in a breach, it’s already too late. Instead, create your plan now and test it with your staff to make sure it works.
  8. Education – Require regular education and training like simulated phishing or tabletop exercises are best practices. A 5-minute video once a year is not sufficient. Instead, create opportunities to help employees make cybersecurity a habit.

Are we being proactive?

An ounce of prevention is worth a pound of cure. Researchers at IBM found that the costs to address a security issue with software after it is deployed is 6 times higher than it would have been during the design phase. To be effective, your cybersecurity team can’t wait for issues to arise. With an effective cybersecurity program, you can prevent ransomware or software vulnerabilities from shutting your business down. And if your program is effective, your technology team will spend less time firefighting and more time improving the program even more.

Are we investing enough?

Cybersecurity can be a competitive advantage, so rather than viewing cyber as a cost center, it can be an investment. In my book, I shared the story of a company that invested in cybersecurity to become #1 in their market, in part because the market leader had a number of security vulnerabilities in their product that took years to fix.

It’s better to pay a little now to avoid prolonged outages, pay millions to a ransomware group, or lose customer confidence. How much is enough? Gartner reports that on average, organizations spend approximately 5.6% of their overall IT budget on Cybersecurity, but prioritizing the right projects, reducing complexity, and having visibility into business priorities are what define real security maturity.

One question not to ask: Who is to blame? Several high-profile CEOs, most notably the former Equifax CEO and the former SolarWinds CEOs pointed the finger at a single employee or an intern as the cause of the breach. A successful cybersecurity program should be able to prevent or mitigate the damage from any one individual making a mistake. Knowing what your crown jewels are and protecting them is the cornerstone of your security program, but you can’t forget that the crown that holds those jewels are your people.


Written by George Finney.

Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine. Follow CEOWORLD magazine on Twitter and Facebook. For media queries, please contact: info@ceoworld.biz

George Finney
George Finney is a Chief Information Security Officer that believes that people are the key to solving our cybersecurity challenges. He is the CEO and founder of Well Aware Security and the CSO for Southern Methodist University in Dallas, Texas.

George has worked in Cybersecurity for nearly 20 years and has helped startups, global telecommunications firms, and nonprofits improve their security posture. As a part of his passion for education, George has taught cybersecurity at Southern Methodist University and is the author of several cybersecurity books including Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future, and No More Magic Wands: Transformative Cybersecurity Change for Everyone.

George has been recognized by Security Magazine as one of their top cybersecurity leaders in 2018 and is a part of the Texas CISO Council, is a member of the Board of Directors for the Palo Alto Networks FUEL User Group and is an Advisory Board member for SecureWorld. George holds a Juris Doctorate from Southern Methodist University and a Bachelor of Arts from St. John’s College and as well as multiple cybersecurity certifications including the CISSP, CISM, and CIPP.


George Finney is an opinion columnist for the CEOWORLD magazine. You can follow him on LinkedIn.