Questions management should ask their security team - and the answers they should expect.
Basic Questions
- "When were we last tested and what were the findings?"
- "Have all critical findings from the last test been fixed?"
- "Would we detect if someone broke into our systems today?"
- "What is our incident response capability?"
- "Who has admin access and do they all really need it?"
Questions That Reveal Truth
- "If someone stole all our data today, when would we find out?"
- "What is our security capability without key person X?"
- "Which system, if compromised, would hurt us the most?"
- "What would happen if all our employees received a convincing phishing email?"
Red Flags in Answers
- "Everything is secure" - No one knows everything
- "We have [vendor solution]" - Tools aren't strategy
- "IT/vendor handles that" - Responsibility isn't transferable
- "We've never had a problem" - Lack of detection isn't lack of attacks