BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Three Things To Ask When A Company In Your Industry Gets Hacked

Forbes Technology Council
POST WRITTEN BY
Dave Merkel

“There are no guarantees in life.” It’s a common quote that rings true in many situations -- unless you’re talking about cybersecurity.

At some point, your organization will fall victim to a security incident. An unsuspecting employee will click on a cleverly disguised phishing email. Another company in your industry will get hacked. And when the breach makes headlines, you’ll be left wondering whether the same thing could happen to you. (By the way, the answer to that question is yes.)

As the CEO, it’s your job to identify the risks that you care about. A security breach at a peer company can reorder those risks -- like protecting customer data or safeguarding your company’s secret sauce. It’s also your job to tell your chief information security officer (CISO) what those risks are, or when they change, so they can mitigate them accordingly.  

So, when a peer gets hacked, don’t hit the panic button. Instead, have a conversation with your CISO, and ask these three questions.

1. What’s the risk in question, and have we planned for it?

Does your CISO have a framework that your organization measures itself against? If so, now’s the time to dust it off and see if your security team accounted for whatever was at the root of the security incidents that are popping up at peer organizations.

If you’ve planned for the risk, great. If not, why did your CISO and team make the decision not to account for it? Is there a reason that it’s irrelevant to your organization?

If there’s any chance that this same risk could impact your company, ask your CISO to conduct a quick assessment to understand security risks and technical control gaps related to this new wave of breaches. Then, they can quickly get some guardrails in place to make sure your organization is protected against the latest crafty attacks.

2. Should I change my risk assessment of our organization based on what happened to our peer?

Your immediate reaction probably involves asking your CISO to make a bunch of changes to the company’s security program. Don’t do that. Instead, based on what you know now, ask your CISO if they advise that you do anything different in the immediate term to change your company’s risk posture. If so, why? If not, why?

It’s not always necessary to immediately change things in your organization if a peer was breached. The technology environment may be different. The company may transact in different data than you. The attacker could have a specific motive that doesn’t include your organization. The attacker may have entered through a part of your peer’s supply chain that you’re not exposed to. There are many possibilities as to why your own organization might not be as vulnerable as another business in your industry.

However, these details may not be available to you, which is why it’s important to have a deliberate conversation and apply risk-based thinking to guide whatever steps you decide to take next.

3. What operational dials can we turn up to have better visibility into what’s happening with our network, in the cloud or with our employees?

Based on the risk in question, your CISO will lay out the best path for protecting your data, and they will tell you if and how any operational dials need to be adjusted to give the security team better visibility into what’s happening on your network.

For example, if there’s a specific technique an attacker is using to infiltrate companies that are similar to yours, who in your organization is on the lookout for those techniques being used in your environment? And does that person have the right level of visibility to catch something on your network that looks a lot like what your peer just experienced?

Or, if that company was an unfortunate victim of a business email compromise that then spread malware to its entire fleet of devices, is two-factor authentication turned on throughout your organization to reduce the chances of a crafty phishing email making its way to Jeff over in finance?

When someone else in your industry is breached, you should definitely pay attention. How you pay attention can significantly impact how well your organization responds. Be thoughtful. Ask good questions about risk, and let your CISO guide you. 

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?