Board members, CEOs, CIOs, corporate officers: You trust your chief financial officers (CFOs). However, you still spend millions of dollars every quarter on outside experts to ensure that the CFOs have counted every penny properly, didn\u2019t miss a trick and your stakeholders can be confident that your financial house is in order.Why do you spend so much time and money on outside auditors every quarter? The short answer: financial regulations. It\u2019s a condition of handling other people\u2019s money, so you do it. You also do it because, as a corporate officer, you sign your 10Q quarterly reports stating that what the CFO told you is true, knowing that if mistakes were made, money missed or misfiled, or the wrong principles applied, that the fines, penalties, loss of equity and even loss of job would be yours as well.\u00a0Welcome to 2015! Allow me to introduce you to your chief security officer (CSO). Despite the honorific, your CSO is rarely a \u201creal\u201d corporate officer like you. Typically, a CSO still reports to the CIO and thus is part of your enterprise\u2019s I.T. branch.\u00a0Trust but Verify\u00a0Your CSO is the smartest security person in the company, but often talks in terms that you not only don\u2019t understand, but in terms you don\u2019t even want to understand. CSOs talk about needing more money for this countermeasure or that service, and all you think is, \u201cGeez, we just gave you a budget last quarter!\u201d\u00a0CSOs rarely quantify a return on investment, as the rest of your department heads can. Instead, CSOs talk about threats to other companies, and deep down you\u2019re wondering who would have both the inclination and capability to attack your company anyway? You have firewalls, and you\u2019re forced to memorize (okay, write down in your secret place) longer and longer passwords that NOBODY could guess. You\u2019re compliant with your industry standards, such as PCI (for payment cards) and HIPAA (health records), so you must be protected.\u00a0In short, you need to trust your CSOs to do their jobs, just as you trust your CFOs \u2014 in the same way that President Reagan trusted the Soviet Union to disarm: \u201cTrust but verify.\u201d\u00a0Officer Involved Security\u00a0Security is no longer an IT problem, but rather a business issue. Corporate officers have to go the extra mile to ensure that their CSOs are equipped to protect the company from the risks aimed at your company today.\u00a0It\u2019s easy to point at other not-so-lucky executives and laugh \u2014 executive passwords such as \u201csony123\u201d; malware inside networks for almost a year without discovery; sensitive emails saved in the open; hastily made software not checked for security; and no one noticing the exfiltration of enough data to fill the Library of Congress \u2014 who would allow such a thing?\u00a0Reflecting Vulnerabilities\u00a0It\u2019s mirror time. Most of you allow some of these very same practices at your company and you don\u2019t even know it. The only real difference between your company and others is the four-letter word for surviving a terrorist attack: LUCK.\u00a0All of the old-school antivirus software you have won\u2019t ever find today\u2019s customized new-school attacks. Shelfware and unmonitored security systems are useless against them. Your old software can\u2019t compete with them. And if your CSOs keep talking about needing more firewalls to defend, you should fire them.\u00a0You should focus on three strategies today:1)\u00a0\u00a0 Understand that attackers move around inside your networks for about a year before they strike. This means that they are inside your networks today! Use this one window, where you have the upper hand, before the malware explodes (yes, as ARAMCO, Sony and others can attest, malware can physically destroy systems), before it\u2019s gained enough information and access to attack. This is your best chance to find the malware and kill it. But knowing how to look, where to look and what tools to use when looking is a pro\u2019s game. It\u2019s not just buying the latest magic quadrant winner, or media darling. It takes tools, skills, practice and experience \u2014 none of which you\u2019re likely to have (or pay for) in house. Beware the false sense of security.\u00a0 2)\u00a0\u00a0 Collaborate the way the criminals do. Most of the defenses and investigations I\u2019ve been part of over the years have had a common dominator \u2014 adversary collaboration. Regardless of whether your primary attacker is after money, revenge or critical disruption \u2014 groups such as organized crime, terrorists, state actors, nonstate actors, disgruntled insiders \u2014 all tend to work together sharing\/trading\/buying insight, tools, codes, weapons and even your intellectual property. You need to actively collaborate with good guys \u2014 law enforcement, security professionals, Information Sharing and Analysis Centers (ISACs), security associations and, yes, even your competitors. \u00a0\u00a0 3)\u00a0\u00a0 Respond as if your career depended on it. I get called by executives like you to help respond to major attacks all the time (usually at 2 a.m.!). Most of the time, the conversation starts like this: \u201cTom, I know you told me to prepare, but \u2026 You\u2019ve got to help! What do I do?\u201dThe answer? There are three very simple and cost-effective keys to a successful incident response (IR): planning, practice and people. Every public company should have a complete and current IR plan that has been built to expect an incident and provide training to respond effectively.\u00a0 Most of the plans I\u2019ve worked on anticipate more than 80 percent of the actual event, so on that first night, you\u2019re worried only about understanding that last 20 percent. Most IR is planned, scripted and preapproved by legal, communications and technology. You\u2019ve already participated in realistic practice sessions each quarter to keep current, and you\u2019ve identified your go-to IR team.\u00a0 Most companies don\u2019t keep dozens of forensic investigators on staff just waiting for this night. No company buys all the latest tools and stays current with the latest techniques needed to discover today\u2019s attacks. However, every public company should have an advance contract with a trusted global IR partner that does have these capabilities and has already been part and parcel of your quarterly practice sessions so it also can hit the ground running.If your first call takes more than two minutes to get to the IR duty officer (yes, even at 2:00 a.m.), and the officer can\u2019t activate your response plan during that first call, then you are at excessive risk. Those first few hours often make the difference between being judged successful in your response or being part of the problem that needs to be cleaned up.The security of your company is part of your fiduciary responsibility as a corporate officer. The decisions you need to make are not technical; you don\u2019t need to understand the difference between IPv4 and IPv6 (it\u2019s not 2), or what SCADA stands for (supervisory control \u2026 oh, never mind).You need security advice at the board and corporate officer level that speaks your language, and you either need new board members that are cyber savvy or outside expertise specific to this fast-paced world that can keep you up with your adversaries. Just as with your CFOs, you need to give your CSOs the expert support they need and hold them accountable for managing your risk as if the very survival of your company depends on it. It does.