How should CEOs prepare for and respond to cyber attacks?

They should take full responsibility and institute a policy that senior executives for each line of business sign-off on a standard suite of automated security tests and "white hat" penetration tests before allowing an application or an update to an application to "go live." Otherwise, it's see no evil, hear no evil, speak no evil. Unless the CEO makes it absolutely clear that security is a mission critical quality of an application and that security issues directly affect peoples careers at the company, the CEO should take full responsibility for any security issues. Otherwise, ignoring security issues is a way of saving short term expenditures, against which large payout may need to be made. In this sense, it seems like it's a fiduciary responsibility of management to budget each quarter for security compliance. Otherwise, the shareholders end up with a "steamroller" type event, much like an earthquake, or another natural disaster against which the company has paid no premium and must suddenly charge to the business as if such events were unanticipated and or under control.

One of the first things the company must do is have a comprehensive, (multi regional/global if its a multinational co) risk assessment. The Board must absolutely identify what its key prize assets and crown jewels are. Then it must assess how these crown jewels might be affected by a breach in information security - and take the worst case scenario. Focusing on the 'crown jewels' and working 'downwards' from the top (assigning responsibility from the top downwards) should reduce the scope of the assessment to manageable levels.
Following that, scenario planning sessions with the CISO, Heads of Key business departments and information security experts from the Security team should be held at least once a year to take into account new and emerging threats, trends and technologies. These sessions should then end up with a short document, with a ten point plan on the key steps for the CEO's and board to follow when responding to a major incident. This document must include what determines/identifies a 'high' severity incident, key contacts (phone nos, emails, backup contacts etc) and responsibilities, prepa media and legal responses, how to kick start technical response procedures (detailed in a lower level document prepared by the security team). The ten point document must also state when and how to contact local and government law enforcement authorities and or (trusted) peers in the industry to liase/co-ordinate responses. One key element of a modern response plan is how, and what to say, in media such as facebook, twitter etc. This can make or break a companies reputation in todays world where bad news can very quickly go viral

Brian and Richard make some important points that revolve around the theme of "taking cyber attacks seriously".

Too many organizations look at cyber security in the same way that they look at contingency planning for earthquake or civil unrest in a Western country -- i.e. as something that is not likely to occur, but for which it would be a good idea to have some preparation.

However, cyber attacks are a virtual certainty at this time -- whether targeted or scripted. Even if we exclude hacktivists and other politically motivated attackers, and even if a particular organization does not have direct financial resources tied to their website, there are so many script kiddie attacks that are floating across the internet at any given time that no organization should expect to avoid getting hit.

CEOs need to take this class of threats as seriously as they would the defection of customers by way of departing sales agents/managers.

As others have suggested, a comprehensive plan needs to be developed, led by someone on the senior team, who will drive the full spectrum protection, auditing and assessment activities of the organization's infrastructure and applications.

Without an inventory, asset classification and risk assessment, there can be no effective security program. And, most importantly, security mitigation activities must be embedded into the organizational DNA, and must have as much priority as revenue generation activities at all levels.

We're going to have to get past the mindset that information security is an IT issue. It's not - it's a *business* issue. Sure it involves IT but if executives were to look above and beyond the bits and bytes, they'll see that information risk directly impacts business risk.

We're seeing more and more situations where people (executives and politicians alike) simply write off security breaches as an "inconvenience" like what just occurred with Orlando Mayor Buddy Dyer's re-election website:
http://www.wftv.com/news/28411091/detail.html?cxntlid=cmg_cntnt_rss

Such breaches are not just an inconvenience. They're an indicator of just how serious the victims are about security. "I got hacked" is the new scapegoat as I wrote about here:
http://securityonwheels.blogspot.com/2011/06/weiner-fallout-i-got-hacked-is-n...

Rather than proclaiming things like "We don't have anything that hackers would want." or "We trust our employees to be on the up and up." and instead realizing that all of the sensitive information (personal info and intellectual property) stored and processed on the business network and mobile devices can be - and likely is - a liability. What do executives do about non-IT liabilities? They do whatever it takes to address the risks and move on. Not so in IT - at least that's what I'm seeing in my work.

Unless and until executives accept the reality that information security is ultimately their problem, we'll continue down the path we're on. Given how people *still* don't use their seat belts in their cars and people *still* smoke and do other knowingly harmful things to themselves, I'm convinced information security is a human issue that will likely never be solved.

I may be wrong...I often am. I'll remain cautiously optimistic but I'm not holding my breath.

Just for reference, here's an article that I think articulates the core issue.

Sony CEO Asked to Step Down at Shareholders’ Meeting | DeltaGamer http://t.co/7Ib4zEN

At this shareholder meeting when confronted by a shareholder regarding the security issues at SONY, CEO Howard Stringer responds,

"I think you see that cyber terrorism is now a global force, affecting many more companies than just Sony. If hackers can hack Citibank, the FBI and the CIA, and yesterday the video game company Electronics Arts, then it’s a negative situation that governments may have to resolve.”

For me when the CEO of one of the world's most prestigious brands tries to pass the buck by suggesting that governments may have to resolve the issue and that Sony is powerless to defend against hackers, then I know this is an issue, like safety (cf. the lack of attention to safety at Fukushima), that the business doesn't feel is an important issue. The seventy million or so people who had their account data compromised most likely feel very differently.

It's rare that a global CEO asks the government for help. Most CEOs will tell you that business is best left to the business, and that governments should not regulate nor interfere. Also, LulzSec reports that it was able to hack SONY accounts using a very basic sql injection attack: http://www.wired.com/threatlevel/2011/06/lulzsec-sony-again/

Even the most basic automated security scans such as Rational Purify or IBM's Ounce, or a static analysis code scan using Parasoft's Jtest or other static code analysis suite would have identified a SQL injection vulnerability. The fact that Sony could be hacked (again) by such a rudimentary and preventable approach clearly indicates the fundamental and utter lack of awareness and interest in application security at Sony. The SQL injection attack, as well as other attacks at Citibank had little to do with the capability of hackers and everything to do with Sony negligence at the executive level. While politicians cry out for tighter security, the fact is that for these kinds of rudimentary attacks, the procedures, the knowledge, the technology is all present and available. Yet due to the lack of interest in security at Sony and Citibank and other firms, no technology can save them from their own lack of diligence. To blame hackers for these kinds of security breaches is so far removed from reality as to be akin to trying to give out speeding tickets on the Indy 500.

From a CEO standpoint, the focus for each phase, prepare, respond, and damage control, is different.

In the prepare phase the focus should be on understanding the companies information risks, and developing and implementing good risk mitigation plans, that eliminate or minimize the risks. A cyberattack is also a risk. If an organization, does not do to much business over the internet, then the impact from a cyberattack is minimal. Hence, the CEO needs to quantify this risk and understand the impact of a cyberattack.

In the respond phase, the focus should be on eliminating the threat and reducing the impact. The focus should also be on understanding the business impact to the organization, customers, suppliers and other related parties due to the cyberattack.

In the damage control phase, the focus should be on cleaning up from the cyberattack, implementing temporary breakfixes, and identifying root causes. Communication with external parties and customers is an important part of this phase. The key is to reveal adequate information to all impacted parties in a transparent manner and providing guidance on what they require to do to protect themselves.

CEO’s should make it clear that investing in CyberSecurity is expected of their senior executives and cannot be ignored. This investment must include a directive to the information technology organization that they must invest money and energy into securing their systems to the highest level possible and, if applicable, meet whatever compliance standards apply to their industry (Did you know that the vast majority of those sites -- 79% according to the Verizon Data Breach Report -- which were breached and were subject to the PCI standard had not met that standard at the time of the breach?). Additionally, if applicable to their systems, the US Defense Information Systems Agency (“DISA”) has their Security Technical Implementation Guides (“STIGs”) for the various systems they use within the US Department of Defense (http://iase.disa.mil/stigs/). While the checklists in these guides may not be totally applicable to every organization, they are an excellent start for an internal security staff to review their organization’s systems against.

When that is complete, it is time to bring in external experts for both security assessments to assure that the system and its security are configured properly and also to review the system integrity of the code executing on the system. Unfortunately, recent surveys have shown that that the largest security threats and actual breaches are coming from the inside – employees and contractors – and these are the people who are in the optimum position to leverage system integrity vulnerabilities for their own personal gain and leave no trace of their activities.

Cyber attack defenses need to be an intregral part of not only I.T.''s Cyber Security process but also imbedded in the Disaster Recovery, Risk Management and Business Continuation processes.

Today, there are so many more elements to security than even 10 years ago. Physical Security is as important as electronic security and the combination must be considered in the I.T Strategic Plan. Types of back-up systems, both on site and off-site storage of mission critical data, and "time to recover" are all important pieces.

I see the CEO's job here a ensuring that all these elements are in place and that they are appropriately sized and costed for the size, customers and mission of the business.

Kevin -- I understand your response and agree with a good deal of it but my question is "what is your solution?" Should we simply give up and let the chaos mongers prevail or should we view Cyber Security as an essential part of our businesses at all levels.

I'm a former three time CEO and have faced the "people problems" all of my career. I don't find them impossible, just difficult.

John, it sounds like we're saying the same thing.

My solution is contained in my 1st and 4th paragraphs above. Executives must get on board and stay on board with security. Sure, it's up to everyone in IT and across the business to keep them abreast of what's taking place....But we've been doing that for years...decades. Yet, a quick glance at the following site highlights that executives are STILL not taking security seriously:
https://www.privacyrights.org/data-breach

I know it's easy for me to make blanket statements that, in reality, don't apply to *all* executives. But what exactly does it take? How many breaches? How many lawsuits? How much eating crow?

Only executives can provide the political and financial backing necessary to make this stuff work. So, given your experience: what's your solution?

John,

Unfortunately, I have to agree with Kevin on this. Executive management still has not bought into these investments in information security and protecting against cyber attacks. I don't know whether it is that they are oblivious to this, or that upper IT management is oblivious to this, or that the people in the organization who understand the threats and vulnerabilities just cannot make their case.

Barry

First establish clear, objective metrics with weekly scorecards showing how all categories/disciplines of the entire security program is performing. Then benchmark those scorecards against your company's internal goals, and the performance of your peer group. Without this approach a CEO has no context of where security is strong, adequate or weak. And without this, it's easy to fall into the trap of rifleshot protection (simply reacting to last week's news).

As a CEO I want to know that we are taking a comprehensive approach to security that is both in line with our risk tolerance and at least equal to or better than my own industry's investment/performance. And I want hard data on an ongoing basis proving this to me. That way I know where we need more investment, better execution, resource adjustment, etc.

And yes, this is entirely possible, including benchmarking vs. your company's peers: see http://benchmark.ncircle.com

Great answers/links guys. In all seriousness, I think we should just take the route proposed by Sony's Howard Stringer and let the government handle it. They seem to have everything else down pat as I've raved about for years:
http://securityonwheels.blogspot.com/search/label/government%20regulations

;-)

Great answers above. I worked for an firm that helped companies identify their risk points for a while. I would look at the following:

1) Understand the law as it relates to housing information on your customers (names, social security numbers, etc).
2) Identify as someone else said where the "crown jewels" are from both an information standpoint, and a physical standpoint
3) Hire a good firm to hack you, technically and physically.
4) Take their advice and do what they tell you to do
5) Have a communication strategy document and plan in place before you are hit. Don't think about how to respond after the fact.

A few examples of what the company I worked for did include:
- We were able to get to the administrator account (undetected) in a very large organization because the company failed to apply Microsoft security patches to some of their desktops and servers. Once there, we could do anything we wanted
- We were able to get into the Legal Counsel's office and take photographs of highly sensitive documents regarding an upcoming merger because the company's physical security was too loose. We tailgated into the company with a group of employees, flashing a phony badge to the security guy. We hired an attractive woman to carry a couple of "heavy" boxes up to the security checkpoint, try to access the door security with a phony badge (which failed). She looked at the security guard, with a frustrated look "Oh this stupid badge! I have to get a new one this is ridiculous." He smiled got up and let her in.
- We were able to get into an area in a bank we should have never gotten into because we flashed a phony badge at a young receptionist, claimed to be from the FDIC and just walked past her.
- We have gotten bank employees to give out information they should have never disclosed over the telephone.

My point is; You are under attack from many different points. Computer security is only one aspect of what you have to worry about.