The risk isn’t of “having a security incident” its about handling it in a calm, collected, and methodological manner so a small incident doesn’t turn into a major one. Or worst case, a major one is identified and mitigated in minutes, as opposed to days. This sort of reinforces the “there is no real ROI” argument, as a motivated threat actor will not give up just because they were stopped once.
- What proactive measures do you have in place now and would have like to have /implement as part of your go-forward strategy to reduce the overall impact and expense of an incident and the potential future ones?
- How has the shift to the cloud changed your security strategy?
- How are you managing to attract and retain staff with relevant skills?
- To what extent are you able to exercise governance over the cloud service you are using?