8 Questions to Ask Your Security Team

Wondering if you’re prepared for the possibility of a ransomware attack? Instead of worrying, get ahead of the threat by quizzing your CISO and security team about “what if” scenarios, and plans to get up and running quickly should your organization fall victim to an attack.

Hand holding an open red umbrella which protects from a collision with a broken wrecking ball - CISO

7 minutes
image_pdfimage_print

There’s a saying in cybersecurity: “It’s not if, it’s when.” With the odds increasingly in favor of your business becoming the target of online attacks, simply hoping it won’t happen isn’t a great strategy. 

Wondering if you’re prepared for the “when” scenario against ransomware or whatever new and dangerous threats bubble up in the near future? Instead of worrying, get ahead of the threats by quizzing your CISO and security team about “what if” scenarios, and plans to get up and running quickly should your organization fall victim to an attack.

If you’re in a leadership role, you might be losing sleep over cyberattacks. And you’re not alone. Ransomware attacks hit record levels in 2023, with healthcare organizations becoming a favored target. 

It’s time to sit down with your CISO and other security team members to discuss your organization’s cybersecurity defenses. The questions below can help you discover what safeguards are in place and where you might be falling short in deterring cyber threats.

Beyond the Firewall: Insights and Strategies from Leading CISOs

1. Do we have a vulnerability and patch management program? How do we measure its effectiveness?

Installing software patches and updating systems to eliminate vulnerabilities are the low-hanging fruit of security tasks. However, it’s not easy for busy security teams to get into a regular cadence regarding patching and upgrading, which means it’s painfully easy to let these tasks slide. The 2021 Kaseya ransomware attack, which affected as many as 1,500 businesses that use the company’s supply-side software, may have been caused by the company’s inconsistent patching program. (In fact, employees appear to have complained to senior leaders about sloppy patching practices to no avail.)

If your security team confirms that your company has a patch management program, then the next questions to ask are: How do we measure success, and what are the SLAs?

Patching can’t do much good if the patches are applied months or even years after they’re released. Security teams must maintain and track currency in your management programs and clearly demonstrate their effectiveness. Ideally, teams should target to install patches within days or maybe a couple of weeks. For major releases, the target should be n-1, or at worst, n-2.

If the security team tells you there is no patch management program or the program is too slow or ineffective, there’s no time like the present to get one started—or get your existing one amped up.

2. Do we have a recovery plan mapped out in case we do suffer a ransomware attack? How will we restore data?

Security teams should consider setting up forensics retainers with outside firms that clearly define SLAs, response, and cost. And this arrangement needs to take place before attacks happen. The last thing anyone wants is to scramble for help as an attack is occurring.

Getting back online during the forensic process is key—and the right storage provider can be the difference between days and weeks. Pure Storage Evergreen//One™ storage as-a-service now offers a unique ransomware recovery SLA that addresses many of these recovery steps. In particular, the SLA provides next business day shipping of clean recovery array(s)*, 8 TiB/hour data transfer rate, and a technical services engineering team to finalize the recovery plan plus an onsite professional services engineer from time of array arrival through replacement of infected array(s).

As for data, it’s important to note the “ask” here: You need to know how data will be restored, as opposed to simply backed up. If data is backed up, that’s good. But if it takes several hours (or days) to be restored, that’s not good at all. Consider asking about the benefits of tiered security architectures and “data bunkers,” which can help retain large amounts of data and make it available immediately.

In addition, work with fellow executives to ensure that tiers of recovery are agreed on with other stakeholders. Application restoration priorities or tiers should be well-defined so that business units know the timeline for restoring applications and there are no surprises. The planning should also include critical infrastructure such as Active Directory and DNS. Without these services, other business applications can’t come back online or function correctly.

3. How often do we test how our systems would perform in the event of an attack?

The corollary to this question is, “How long until our data will be available again after an attack? One hour? Or 10 hours?” Only by running through all possible attack scenarios can the CISO and security team confidently benchmark the time to normal operations. Too many companies don’t even test workflows for restoring operations or gauge how much time they’ll need—or how they can improve upon those times.

You also need documentation for tests to prove effectiveness over time and to create an accurate, up-to-date heatmap. It should include details on which apps are tested, how frequently, and what the results are. The documentation should also focus on critical infrastructure that can be rapidly restored in an outage since other applications depend on it.

4. If we are under attack, how will we communicate?

Security teams need well-defined communications plans when it’s time to inform leaders about the onset of a cyberattack. If systems and email are down, what’s the chosen method of reaching out to business units? It’s important to create and update lists of cell phone numbers and alternate email addresses for contacts within IT and security teams, senior leaders, and outside security consultants such as the retained forensics team.

Also critical: preparing an external communications plan for working with the media, regulators, and legal teams. Contacts within local offices of law enforcement authorities such as the FBI in the United States may also serve useful. Also, include cyber insurance providers that can explain coverages and limitations.

5. Are we getting enough ROI from our SIEM solutions? Do we have the visibility and speed we need?

While many SIEM solutions come with plenty of capabilities right out of the box, they will still rely on underlying storage solutions to analyze massive amounts of data at high speed and be effective. Collecting data alone isn’t enough to get real ROI from SIEM solutions. Ask your CISO to dig into SIEM capabilities and performance, and consider a storage solution with built-in anomaly detection like you get with Pure1 Meta’s AIOps. It leverages machine learning to identify anomalous drops in data reduction ratios which could indicate that an attack occurred.

6. How far does compliance take us in terms of staying secure?

The hard truth here is, not very far at all. In fact, compliance can be somewhat of an obstacle itself because it can create a false sense of security. There’s a saying in the security world: “Compliance never stopped an attack.” 

In other words, compliance is just one audit representing a single point in time, but security is constantly changing and requires 24/7 vigilance. Security also requires ongoing investment and skilled manpower, but compliance can undermine that case for those in the C-suite who want to save money.

7. What do you wish we would start doing—or start doing more of?

Ask this question, and the CISO and security team might talk your ear off. But you’ll likely get great feedback, like this:

  • More encryption of classified, sensitive, or personal data
  • Greater use of AI tools to perform monitoring, anomaly detection, authentication, and threat modeling
  • Up-to-date data protection that includes asset management systems, discovery exercises, and access control
  • More incident recovery exercises to make sure the organization is prepared and keeps readiness sharp

8. How can we work together to assess cybersecurity risks?

If the CISO and the security team work in their own siloes, cut off from senior leaders, there isn’t much hope in obtaining answers to any of the above questions on a timely basis. It’s better to connect with the CISO to hash out plans for regular briefings within boardrooms, so issues and emergencies get the attention of the C-suite.

We love to wax enthusiastic about technology, but the fact is that security needs collaborative, healthy teams as well. CISOs know this: By 2027, 50% of large enterprise CISOs will adopt human-centric security design practices to minimize cybersecurity-induced friction and maximize control adoption, per Gartner

So, keep talking to people. Spend time with the CISO and security staff to perform tabletop training exercises with real-world scenarios to see how attacks might evolve and where gaps exist. And connect with high-access users of security solutions to create plans for lowering risks.

*If shipping to North America, Europe, or the UK. For Asia-Pacific, it will be 48 hours.