Are you asking your CTO about cybersecurity?

Julia Fleenor Avatar

Cybersecurity is one of the most difficult parts of the tech world to get right. First, it’s incredibly difficult to be an expert. Second, it evolves rapidly as the incentives for “bad guys” are high. Third, it doesn’t add to the bottom line. Best case it’s revenue neutral… right up until the worst case happens and your entire business is at risk.

At Techquity we can help you assess your landscape, advise your team on how to fix the issues, and potentially lean in with industry expertise to act on those actions.

What questions *should* a CEO be asking?

As noted, expertise in cybersecurity is very specialized. But you can start with some basic questions of your CTO or Tech Team:

  • Do we have a system-wide threat model?
  • Do we know where all of our software comes from?
  • Are key assets protected in the event of a ransomware attack?
  • Do we have a plan for common attacks like denial of service or ransomware?

Threat models

Threat modeling is one of the earliest tools in cybersecurity and is still one of the best. In its simplest form, a threat model is a view of the architecture of the company. This should include the software developed in-house as well as outlining key interactions with employees and customers. 

A threat model is like an electrical diagram of your house – it won’t fix a short circuit but it will inform the team where likely problems will occur. The other “win” in asking about a threat model is that it will quickly show places in your tech stack that aren’t very well understood or that might be due for an upgrade. Especially as a team scales, many of the early “just good enough” decisions begin to show cracks.

Digital supply chain

Recently we wrote a lengthier article about the importance of knowing where your supply chain comes from. As software becomes more complicated there are ever-growing dependency chains that might seem innocuous but can become attack vectors later. Ask your tech team what automated tools they run and how often to validate these dependencies. And most importantly what the process is to address issues when they are flagged.

Protecting key assets

Sooner or later every system is attacked and often compromised. Even big tech companies like GoDaddy can be “zombie-fied” i.e. compromised for several years and running malware on their systems.

A key question to ask coming out of the threat model process is to understand what assets are mission-critical for your business. If that asset were to suddenly disappear, could your tech team bring it back in time to keep the business running? The degree of service isolation and protection varies depending on the type of data, the cost of saving isolated backups, and the real-time nature of your business.

One thing we often hear is “our data is in the cloud, so it’s safe”. This is a dangerous path to take as we saw with Garmin a few years back when their data was compromised as were all of their backups.

What do we do when an attack happens

First, will you know an attack is happening, and if so, who is notified. There are many offerings that can scan for attacks and notify the team. Knowing is the first step.

Second, what is your plan for this fire drill? Not every attack or issue can be predicted but having a “runbook” for some of the more common issues e.g. Distributed Denial of Service (DDoS) should be standard practice.


Cybersecurity is becoming more important as nation-state actors are becoming more active. While the Cloud has some built-in defenses it also offers brand-new attack surfaces that are not always well understood.

The first thing a savvy CEO or Board Member should do is start by asking the right questions.

Tagged in :

Julia Fleenor Avatar