2. Appoint a "Cyber Commander" to oversee defenses against targeted attacks. "The title could be changed, but the point is that countering targeted attacks is far different than today's operational security requirements," says Richard Stiennon, chief research analyst at IT-Harvest.
Security needs to be as important as revenue, Baker adds.
3. Use US Defense Information Systems Agency checklists as a model for security reviews. According to Schrager: "While the checklists in these guides may not be totally applicable to every organization, they are an excellent start for an internal security staff to review their organization's systems against."
4. Make cyberattack preparedness a way of life. "Cyberattack defenses need to be an integral part of not only IT's cybersecurity process, but also embedded in the disaster recovery, risk management and business continuation processes," says John Anderson, principal at The Glowan Consulting Group. " … Types of back-up systems, both on-site/off-site storage of mission-critical data and 'time to recover' are all important pieces. I see the CEO's job here as ensuring that all these elements are in place, and that they are appropriately sized and costed for the size, customers and mission of the business."
5. Get third-party reviews. According to Schrager, companies should "bring in external experts for both security assessments to assure that the system and its security are configured properly and also to review the system integrity of the code executing on the system. Unfortunately, recent surveys have shown that that the largest security threats and actual breaches are coming from the inside."