Skip to main content

If you are a senior business leader today, it is becoming much harder to ignore cybersecurity as a significant enterprise risk. Even if a CEO and their leadership team has the right awareness and interest in reducing the organization’s risk, just throwing money or insurance at the problem and moving back to core business issues may do more harm than good.  

This article is a starting point, designed to help business leaders to educate themselves, avoid common pitfalls and reduce the intimidation of getting more involved in a traditionally technical topic. This guide has been updated and expanded upon to be even more relevant in 2024.  

“Leaving it to the experts” is a common phrase that can signal a lack of interest or personal commitment to addressing an issue. In cybersecurity, the predominance of technical solutions and the historically IT-focused nature of most programs can be intimidating and can drive a desire to delegate or minimize its importance. As a senior company leader, limiting your engagement denies valuable insights to security leaders on the industry, human, process, and company culture challenges that need to be solved to enable transformational change.  

Consider this analogy: A manufacturing company experiences a fire. If the CEO had faced previous building fires, safety issues and preventative control failures (e.g., employee training, safety procedures, cultural change tactics, fire drills, exercises with local fire departments, etc.), would “leaving it to the experts” in the facilities and engineering team be appropriate? Probably not. Similarly, would writing an insurance policy for fire-related losses make that CEO feel like the problem was solved? I would hope not. Sure, a CEO wouldn’t design and install a fire suppression system by themselves — but solving and overseeing the changes that are complicated and in need of executive support is important.  

Unfortunately, it’s easy for companies to fall into the following common traps in information security: 

  • Oversimplifying the issue and making snap decisions during or after an incident. 
  • Buying the “latest and greatest tool” and turning it on, but not get it to scale or support ongoing investments required to get the originally expected value out of it. 
  • Purchasing insurance and hoping not to use it. 
  • “Delegating” and leaving cybersecurity to the technologists in IT or specifically IT infrastructure.

If this trend continues, nothing will change. Cybersecurity will continue to be a weekly headline, and companies won’t move the needle on the problem-solving that is needed to restore consumer trust.  

Despite some of the unfortunate trends above, there is good news. Protecting your information, systems, and business operations doesn’t need to be intimidating, and senior business leaders can become personally vested and invested in helping their companies — without a Ph.D. in computer science. 

Paper clipboard with text FAQ or frequently asked question and magnifying glass.

Like any other topic where the business leader is not an expert, figuring out how to ask insightful questions of yourself and your staff members is a great place to get started: 

  1. What elements of our business and operation would be most impacted by a cybersecurity or insider threat compromise? How can I help validate or prioritize answers to this question for our business to assist with prioritization?
  2. What threats and types of compromises could affect us most based upon the threat landscape that we see within our industry that could be specific to our business? How are we using this intel to prioritize our focus?
  3. How mature is our program today, and where do we see the biggest opportunities and gaps? Help me understand the top priorities based upon opportunities and gaps. I want to make sure we have prioritization and focus to maximize our progress and that any distractions are not getting in your way.
  4. What is our roadmap of improvements, and how will we achieve our goals? Are there any barriers to achieving these goals that I could help reduce?
  5. How do we measure our progress to know if we are winning or losing the battle? How can I help tie measurements to broader company measurements so that our organization can reach the right amount of accountability and visibility?
  6. How are we involving our workforce at all levels and driving culture changes? How can I help enable this to ensure the right engagement across my leadership and their staff members? Is there anything I can do to set the tone at the top?
  7. How well is information security partnered across internal groups such as physical security, compliance, legal and privacy? How can I help maximize these partnerships and enable efficiencies?
  8. Do we have a cybersecurity incident response plan, and have we practiced it? How should my leadership team and I get involved in a rehearsal so we know what to do if a cyberattack occurs?
  9. What are your biggest concerns that we haven’t already discussed? How do we ensure we have an open communication channel and trust so we can work through challenges as a company together?
  10. How can my leadership team or myself further support you and your team to maximize your success? How can we best help and support the program and risk reduction?

With these 10 simple, nontechnical questions, business leaders can evaluate their company risk posture, identify the priority activities to reduce risk and learn where they can engage to help their org achieve results. 


At Reveal Risk, we evaluate, design, and deliver strong processes and results in cyber, privacy, and risk that work efficiently, are fit-for-purpose, and are sustained. If you want assistance building your company’s cyber security strategy, governance, and plan towards desired state maturity, please don’t hesitate to contact us at  


About the Author

Aaron is a former Eli Lilly IT and security senior IT/Security/Audit/Privacy/Risk leader with over 20 years of experience in the pharmaceutical and life sciences sector.  He founded the risk management working group for the H-ISAC (Healthcare Information Security and Analysis Center) which enabled information sharing and benchmarking across pharma, payers, and health care providers. Aaron is a certified Six Sigma blackbelt with career emphasis on building and improving internal processes and controls.​

Leave a Reply