The Top 7 IT Questions CEOs Should Be Asking

IT specialists talking in a room about IT solutions

There is a lot to worry about when you’re a CEO.  Typically, IT isn’t at the top of the list.  There are other things that demand focus and should take priority like growth and culture.  However, the best executives recognize that IT can have a huge impact on the bottom line.  Here are the top 7 IT questions CEOs should be asking. 

These questions will help you to identify and quantify risk to your organization.  Understand the potential impact IT can have on operations.  They will also help you get closer to understanding the costs of an outage.  Raise awareness of current protections against cybersecurity threats.  Help you learn how IT impacts culture.  Finally, they can open conversations with your team that will allow you to quickly gauge where you’re at, and what actions to take. 

What is the financial impact of downtime?

This question seems straightforward but is a little more involved to answer than you think.  Assume you have a 10-million-dollar company.  You have a server outage, or a cybersecurity incident that shuts down your entire network.  You’re down for an entire workday.  What does it cost you?

Labor Cost

Let’s assume that your average employee makes 50K per year.  That equates to around $24/hr.  You have a staff of 50.

50 Employees *$24/hr. *8 Hours = $9600 in lost wages.

Lost Revenue

If your company brings in 10 million in revenue each year, and we know that there are 2080 working hours in a year, we can calculate the hourly cost of downtime in terms of lost revenue.

$10,000,000 / 2080 working Hours = $4808/hr.

$4808 * 8 Hours = $38464

Damage to Brand

What isn’t easy to calculate when you have an outage like this is the damage to your brand. If clients and customers feel like they can’t trust you it can be damaging.  This is especially true if you work in a high trust industry like finance, banking, healthcare, and others.

Total Cost

Even with just this basic math we can show that a smaller company with 50 employees would easily lose $48,064 in just 1 day of downtime.  That’s just over $6000/hr in lost revenue and productivity alone.

Here are a couple of resources that may help if you want to dig in deeper or run your own numbers.

How quickly could we recover from an outage?

Now that we have an idea of what downtime costs the company the next obvious question is how quickly can we recover?  The answer will vary depending on what has caused the outage, and the disaster recovery solutions you currently have in place.

Asking your IT team this question will illuminate your risk as a company.  If you don’t have a good backup solution, an outage could cause downtime for days or weeks.  Large offsite backups can also take a long time to recover.  Local backups could be at risk if you have a cybersecurity attack like ransomware.

Knowing your current situation and estimated downtime in a disaster will allow you to quickly see if the current solution is acceptable. The general rule with disaster recovery is that the less downtime you want the more costly the solution typically is.  Knowing the costs involved will help you determine what level of risk is acceptable and select an appropriate solution.

Where is our Data?

Covid has really complicated the answer to this question.  Many companies had to quickly pivot their operational models when we were forced to work from how to allow their employees to do so.  When that happened, IT didn’t always provide an approved solution quickly enough to keep up with business.  This caused users to take matters into their own hands, and data suddenly got sucked up into a plethora of different cloud file sharing applications to make it accessible.

The problem with this type of shadow IT is that your IT team doesn’t know where your users are putting data.  As a result, they are not able to secure or backup that data.  It also puts you at risk as a company if you have IP that could easily be carried off by a disgruntled employee.  This presents significant challenges for security as well.  We can’t protect what we don’t know exists.

Discussing where your data is will illuminate these problems.  You may need to execute a project to bring company data back into locations where your IT team can easily secure and back it up.  If you don’t, the risk can be substantial.

Do we have a solution to protected against common cybersecurity threats?

There are a LOT of potential cybersecurity threats out there that companies should be aware of.  However, in 2024 there are 3 that stand out as the most common.  Having protections against these 3 threats isn’t a cure all, but it will go along way to secure your data.  Asking about these threats will provide insight into your overall security posture.

Ransomware

Ransomware is a type of malicious software—or malware—that encrypts your data and prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return. – FBI.gov

This attack can be devastating to a business.  They frequently take days or weeks to recover from, and in many cases, businesses are forced to pay a ransom in the millions to get their data back.  Even after paying the ransom there is no guarantee, you will regain access to your data as promised.

There are a handful of security solutions that can help protect against ransomware. 

  • Endpoint Detection and Response Software – This is the next generation of antivirus.  The best ones offer some protection against ransomware and other threats.
  • Privilege Access Management – This is a software solution that helps protect from the spread of ransomware by requiring approval from IT for any applications attempting to install on a machine including ransomware.
  • Multifactor Authentication – MFA goes a long way to stopping the bad guys.  It’s not undefeatable, but many bad actors will simply move on to find an easier target if you have it in place.  Simple, inexpensive and effective.
  • Business Class Firewalls – Having the right firewalls in place on your network that are properly configured with security services can offer another layer of protection.
BEC Attacks

These attacks have edged out ransomware in 2024 as the most common cybersecurity threat.  This is where a bad actor gains access to your company email (frequently targeting accounting), monitor correspondence to see where your largest invoices are going, and then interject themselves in that conversation as your employee telling the client that your banking information has changed, and they need to wire their payment to a new account.

They frequently gain email access via phishing email, malicious attachments, or social engineering.  There are several things you can do to protect your organization.

  • Email Security Suite – This will block spam and many phishing attempts.  The best ones will also block malicious attachments to keep you safe.
  • Cybersecurity Awareness Training – Your employees can be a liability when it comes to cybersecurity.  This solution allows you to send test phishing campaigns to employees to see who your “clickers” are.  Then you can run them through education that seeks to close their knowledge gap about potential attacks.  Training your people helps mitigate risk.
  • Multifactor Authentication
  • Internal Policy – Having the right policy in your company can help as well.  It can be as simple as mandating that if there is ever a change of banking information your employees call to verify with a human before executing a transfer.
Network Intrusion

With work from home the most common network intrusion attack has become using a password cracker to gain access to a VPN that isn’t secured with MFA.  Once they gain access to your network they can do several nefarious things.  There are a few protections that will help.

  • Business Class Firewalls – Specifically ones that have an intrusion prevention feature.  This allows your firewall to monitor network activity and stop anything suspicious.
  • MFA – Put it on everything.  It helps.  Specifically make sure that your RDP sessions and VPN connections are protected by MFA.
Where do we have technical debt as an organization?

Technical debt can come in many forms.  Legacy applications, operating systems, or end of life hardware can all add to your risk.  Southwest airlines are a great recent example of this.  They had a recent outage because of outdated technology that cost them an estimated 825 million.

The thing that many companies don’t stop to think about is that technical debt operates almost like compounding interest in a bad way.  The farther behind your technology gets, the more complicated and expensive it is to move to a current solution.

Legacy databases and applications may not be easily compatible with current software and solutions.  Instead of just doing a version update, you find that to move to something current you need to hire an entire team of consultants to help you. The older your solution is the less experts remain that have expertise to assist you.  Supply and demand dictates that these resources can charge almost whatever they like for their services.

Avoid this by keeping your systems up to date regularly and doing version upgrades when needed.  If you put it off now because of cost or inconvenience, your costs and inconvenience will both likely increase in the future.

How does our staff feel about IT?

This one isn’t a technical question.  However, CEOs should be focused on company culture and your employees experience with IT effects that. 

Any situation that comes up where your people feel they aren’t heard is a problem.  Any time your employee feels there isn’t a path to get their problems solved, it’s frustrating.  People leave companies if they feel this way regularly.  Is your IT a contributing factor?  Does it leave them empowered or irritated?

One note on this is that the CEO’s experience with IT is typically NOT representative.  You get the best hardware, the quickest response, and the white glove handholding.  If you want a real gauge for what is going on its best to talk to your front-line workers.

Do you have adequate cybersecurity insurance coverage?

No matter what solutions you have in place for IT and cybersecurity risk will always exist.  To further protect your business, you’ll want to seek out appropriate insurance coverage to mitigate it.

Talk to an insurance professional that knows cyber.  Not all brokers do.  Ask them about various scenarios and whether you would be covered or not.

Three areas where companies are frequently not covered are:

  • Pre-existing vulnerabilities
  • Human Error
  • Insider Attacks

Discuss these specifically with your insurance carrier to see what you can do to best protect your business.

Conclusion

CEO’s have a lot to think about.  IT isn’t normally on the top of the list.  If you take the time to ask these 7 questions to your IT team the resulting conversations will be valuable to you and help you reduce your risk as a company. 

You may also find out that things aren’t currently where you want them to be, and gaps exist in your current solution.  Once you identify them you can start making things better.  If your current IT provider hasn’t done their job, that’s a good thing to know as well.

If you find yourself wanting to consult with an expert, we are happy to help.  Book time to chat with us HERE.