« Why Twitter? | Main | Advice to trade show exhibitors »

3 questions to ask your technology leader

Dave Nelson, CISSP, is president and CEO of Integrity.

3-questions-technology-leader“Time is of the essence.” “Time is money.” Yadda, yadda, yadda.  You’ve heard it all before. Every business leader is pressed for time in one way or another. That’s why today’s post is quick and simple: Three questions every business leader should be asking their technology leader or IT service providers.

1. How are we coming on addressing the top risks identified in our latest IT risk assessment?

This assumes you have performed a high level risk assessment with your CIO, CFO, Legal, HR and Insurance teams within the past year. Technology is changing daily. The way we use technology is changing just as fast. Are you up to speed on the risks that your organization is facing from the use of technology in your business operations? Are you addressing the biggest risks first? Are your investments to lower risk working? Are there new laws that could change your risk? Can new insurance products transfer some of the risk?  Ask questions of your leaders. Make sure sufficient progress is being made to reduce risk where necessary.

2. Do we (you, for vendors) have the expertise on staff to deal with the changing threat and regulatory landscape?

This is a tough question to be asked. Everyone hopes to have the best and brightest on our teams. The reality is we always have gaps.  Make sure your leaders know gaps are OK. They do however need to be identified and dealt with. Perhaps you have a security team already. Great, but do they have all the skill sets needed to fully protect the organization? If not, can they get them? Should they? Are contracts or retainers with experts a better solution?  Either way, it’s best to be prepared. You can’t afford to be caught flat footed in this rapidly changing security environment. When using external IT providers, don’t assume they have security expertise. Ask for proof.

3. Can you provide reasonable assurance that we’ve not had a system breach in the past “x” months and will your evidence stand up to an independent third-party review?

The idea here is to make people uncomfortable. You don’t want to be placated. You don’t want to hear someone touting their belief in the team. You want concrete evidence. Make them show you months of event logs that have been reviewed for anomalies or malicious activity. Ask for something, anything. Just don’t settle for “We believe our systems are safe”. Even if you have no plans to get an independent review, ask them to be able to support their conclusions. As Ronald Reagan said, “Trust, but verify”.

Business leaders who get answers to these three questions will be far ahead of their peers and competition. While there is a “right” answer to every one of these questions, the “right” answer will be different for everyone. The important thing is to ask the questions and that you feel comfortable with the answers you’ve been given. That’s what IT risk management is all about.

Dave Nelson is president and CEO of Integrity. Dave Nelson 2015 IowaBiz Blog

Email: dave.nelson@integritysrc.com

Twitter: @integritySRC | @integrityCEO

Website: integritysrc.com

Comments

The comments to this entry are closed.

« Why Twitter? | Main | Advice to trade show exhibitors »

Technorati Bookmark: 3 questions to ask your technology leader

This site is intended for informational and conversational purposes, not to provide specific legal, investment, or tax advice.  Articles and opinions posted here are those of the author(s). Links to and from other sites are for informational purposes and are not an endorsement by this site’s sponsor.