For mid-market CEOs, security is no longer just an IT issue; it is a Board-level responsibility that directly affects operations, reputation, and growth. These 10 questions can reveal more about your business risk than any technical report.
It’s getting tougher to ensure security. The average mid-market business has a plethora of devices and suppliers, with ownership of various services spread amongst several people – each with their own credit cards and logins.
Your job as CEO is to ensure that all these services and people are as secure as possible. You can’t assume your IT team or suppliers are on top of it. You need to ensure they are by asking the top 10 cyber security questions.
Their responses – or lack thereof – will also trigger the development of a reasonable, affordable, and workable security strategy for your business.
Why cyber security needs CEO-level attention
Cyber security is complicated, fast moving, and increasingly commercial in impact. A serious breach can halt operations, damage customer trust, and consume management time for months.
And yet most breaches we see are the result of basic failures which could have been easily addressed – in fact, the vast majority of cyber attacks can be thwarted by relatively simple steps. For CEOs then, the question is whether your team and suppliers have the ability and experience to put these basic measures in place.
The answers (or non-answers) to the following questions will help you assess the situation. Asking these questions will also serve as a starting point for making improvements.
The 10 cyber security questions every CEO should ask
- Do we have a clear strategy framework for cyber security?
Start with basic questions about how much cyber security matters to your business. Consider the likely breach scenarios and business impact and assess whether your company’s effort and investment in cyber security is consistent with the risks. Ensure you have a senior expert to set the policy and to be accountable. - Do we have basic housekeeping measures in place, and do we get them right every time?
Basic cyber security measures include a complete list of assets as well as documenting that all these assets – including mobile devices – are properly managed. The most basic points to ask about: AV and patching, full disk encryption, spam filtering, phishing prevention, management of removable media, and basic data loss prevention. All these measures must be up to date all the time, every time. - Do we have security accreditations? Do we need any to comply with industry regulations, insurance requirements, or contractual obligations?
UK Cyber Essentials and Cyber Essentials Plus are excellent starting points for security and compliance. For companies who want or need a more encompassing framework, ISO27001 is the standard. - Do we have a principle of least-access?
If a user only has access to the data they need for their job, then compromising their account has limited impact. On the other hand, many breaches occur because there are too many powerful or overprivileged accounts with access to sensitive data. And we often see doors left wide open when administrators leave or change roles, but access is not tidied up. - What are we doing about back-ups?
Backups are as vital as they’ve ever been. Many cloud systems provide backup as part of the service, but not always, and the quality varies. Often cyberattackers first sabotage your backups, so you need to ask if they are physically separate (‘air-gapped’) and locked (‘immutable’). Make sure that restore tests are part of your routine. - What’s our plan in case of a cyberattack?
Don’t wait until after it happens – plan for it. Make sure you’ve got adequate cyber insurance and that you’re compliant with the policy. And definitely make sure that in the case of a cyberattack your managers know what to do, where to find information, and how to contact trusted advisors – even when systems are down. - Do we have independent vulnerability assessments or penetration tests, and have we assessed or managed all the findings?
It’s critical to use independent experts to conduct continuous vulnerability assessments or at least regular penetration tests. Rather than ask your own team or existing MSP to make this assessment, always use a third party – and don’t always use the same one. - Do we have an IT risk register, and are we reviewing the risks on a regular basis?
A sensible starting point for all planning and activity is a list of possible risks. Creating this list is an opportunity for a wider group to understand the possible scenarios and impacts and then to decide who owns the risk and an appropriate response, even if it’s ‘do nothing.’ The responses can include preventative steps or plans for mitigation in the event of a breach. - Are the leaders of the business creating a culture of security?
Most breaches occur because people fail to take basic steps. It might be a powerful system administrator who lacks training or discipline, an ordinary user duped by a phishing email, or the CEO who writes their password on a post-it note. Leaders need to create a culture where regular training is expected and welcome; where users have a healthy suspicion of an email from an unknown source; and where it’s ok to challenge an urgent request for a cash transfer. - Do we have the necessary physical security?
Criminals can bypass many cyber security mechanisms if they gain access to your premises, so check that your business is taking the basic steps – building passes, a clear desk policy, and locked server rooms. Staff need to know not to leave office laptops and phones unattended or unlocked in public.
Turning answers into action
Ensuring security is becoming more difficult, but it does not have to be overwhelming. Start by asking these 10 cyber security questions and listening carefully to the answers. They provide a practical way to assess readiness, highlight weaknesses, and begin building a security framework that fits your business.
If you cannot get clear responses, or if ownership feels fragmented, it may be time to bring in experienced IT leadership. A senior CIO, CTO, or CISO can help translate technical risk into commercial decisions, create a realistic roadmap, and ensure security supports growth rather than blocking it.
If you’d like support turning these questions into a workable security strategy, get in touch for a no-pressure conversation.