On the business side
(CEO, CFO, CRO, legal, internal audit, and board members):
- Is cybersecurity an integral part of your business model
and strategy? Who leads your cyber incident program and is it cross functional?
- How aware are you of what strategic threats and adversaries are targeting you and why?
- Are you able to demonstrate compliance to existing legal and regulatory requirements directly related to cyber?
- Is there an understanding of the cost of recovery vs. the benefit of cybersecurity investments?
- How are you assessing your cyber risks associated with your business partners, vendors and third parties?
- How often are you conducting a full audit of your cyber readiness capabilities from detection to response?
- Are you contemplating entering the cyber insurance market with products?
- What are you doing to assess cyber risks of your clients related to insurance risk?
On the technical side
(CIO, CISO, CTO):
- To what extent does the executive team leadership team understand and invest in cybersecurity and appreciate return on their investment?
- Are you leveraging threat analytics and research to understand attacks and incidents in order to identify systemic issues and root causes? Are these systems integrated into your overall SIEM and compliance systems so your teams know what and how to respond to threats?
- What is your cybersecurity framework based on (e.g. NIST CSF, others)?
- How is cyber resilience managed for new systems, projects and products – what types of testing and validation do you conduct?
- How often are you conducting a full audit of your cyber readiness capabilities, from detection to response?