There’s a saying in cybersecurity: “It’s not if, it’s when.” How can you ensure you’re doing all you can to safeguard your organization? If you’re in a leadership role, it’s helpful to first understand what safeguards are in place and where there may be gaps. To get the conversation started with your security team, here are five key questions to ask your CISO—plus a download, Ten Questions to Ask Your CISO, to guide more in-depth discussions.
1. Do we have a vulnerability and patch management program? How do we measure its effectiveness?
Installing software patches and updating systems to eliminate vulnerabilities are the low-hanging fruit of security tasks. However, it’s not easy for busy security teams to get into a regular cadence regarding patching and upgrading, which means it’s painfully easy to let these tasks slide. The Kaseya ransomware attack affected as many as 1,500 businesses that use the company’s supply-side software. And it may have been caused by the company’s inconsistent patching program. (In fact, employees appear to have complained to senior leaders about sloppy patching practices to no avail.)
If your security team confirms that your company has a patch management program, then the next questions to ask are: How do we measure success, and what are the SLAs?
Patching can’t do much good if the patches are applied months or even years after they’re released. Security teams must maintain and track currency in your management programs and clearly demonstrate their effectiveness. Ideally, teams should target to install patches within days or maybe a couple of weeks. For major releases, the target should be n-1, or at worst, n-2.
If the security team tells you there is no patch management program or the program is too slow or ineffective, there’s no time like the present to get one started—or get your existing one amped up.
2. Do we have a recovery plan mapped out in case we do suffer a ransomware attack? How will we restore data?
Security teams should consider setting up forensics retainers with outside firms that clearly define SLAs, response, and cost. And this arrangement needs to take place before attacks happen. The last thing anyone wants is to scramble for help as an attack is occurring.
As for data, it’s important to note the “ask” here: You need to know how data will be restored, as opposed to simply backed up. If data is backed up, that’s good. But if it takes several hours (or days) to be restored, that’s not good at all. While ransomware trackers have all of your mission-critical data locked up, do the C-suite and employees really expect everything to grind to a halt?
Consider engaging in a discussion with the CISO about the benefits of tiered security architectures and “data bunkers,” which can help retain large amounts of data and make it available immediately. Understand what the restore process looks like, what will be manual, and how long it could take.
In addition, work with fellow executives to ensure that tiers of recovery are agreed on with other stakeholders. Application restoration priorities or tiers should be well-defined so that business units know the timeline for restoring applications and there are no surprises. The planning should also include critical infrastructure such as Active Directory and DNS. Without these services, other business applications can’t come back online or function correctly.
3. How often do we test how our systems would perform in the event of an attack?
The corollary to this question is, “How long until our data will be available again after an attack? One hour? Or 10 hours?” Only by running through all possible attack scenarios can the CISO and security team confidently benchmark the time to normal operations. As we heard security experts say during our recent Pure//Accelerate® Digital sessions, too many companies don’t even test workflows for restoring operations or gauge how much time they’ll need—or how they can improve upon those times.
You also need documentation for tests to prove effectiveness over time and to create an accurate, up-to-date heatmap. It should include details on which apps are tested, how frequently, and what the results are. The documentation should also focus on critical infrastructure that can be rapidly restored in an outage since other applications depend on it.
4. If we are under attack, how will we communicate?
Security teams need well-defined communications plans when it’s time to inform leaders about the onset of a cyberattack. If systems and email are down, what’s the chosen method of reaching out to business units? It’s important to create and update lists of cell phone numbers and alternate email addresses for contacts within IT and security teams, senior leaders, and outside security consultants such as the retained forensics team.
Also critical: preparing an external communications plan for working with the media, regulators, and legal teams. Contacts within local offices of law enforcement authorities such as the FBI in the United States may also serve useful. Also, include cyber insurance providers that can explain coverages and limitations.
5. How can we work together to assess cybersecurity risks?
If the CISO and the security team work in their own silo, cut off from senior leaders, there isn’t much hope in obtaining answers to any of the above questions on a timely basis. It’s better to connect with the CISO to hash out plans for regular briefings within boardrooms, so issues and emergencies get the attention of the C-suite.
To strengthen relationships among teams, spend time with the CISO and security staff to perform tabletop training exercises with real-world scenarios to see how attacks might evolve and where gaps exist.
Download “10 Questions to Ask Your CISO” for These and More Action Items
Security should be everyone’s priority. Not just the IT team, not just the network admin, and not just the InfoSec team—everyone, including you.
The impacts of security threats can be far-reaching and devastating, affecting everything from revenue and productivity to your organization’s reputation and even your customers’ businesses. Looking at the Kaseya attack, it’s clear that hackers know exactly what systems and data can cause the most damage. It’s in your best interest to understand your security strategy and partner with your security team to ensure they have the visibility, budget, and buy-in they need.
Download this sheet and use it to help kick off more productive conversations with your CISO and security team. And learn how Pure Storage® can provide your organization with the ultimate in rapid recovery solutions.