Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Should I Answer a Nontech Exec Who Asks, 'How Secure Are We?'

Consider this your opportunity to educate.

Kurtis Minder, Co-Founder & CEO, GroupSense

February 26, 2020

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Question: How should I answer a nontech exec who asks, "How secure are we?"

Kurtis Minder, CEO of GroupSense: Depending on your relationship with your executive team, it might help to qualify the question first. Secure compared to what? Compared to similar companies of focus and size in the industry? Compared to NIST 171? Compared to PCI DSS? In order to measure something like this, it helps to have a reference baseline. Otherwise the answer is opaque and virtually meaningless. Regardless of the answer, it is important to convey that the threat landscape is fluid and security programs need to be also.

You should also use this type of question as an opportunity to educate. Say to the exec: "Before I answer that question, what's your nightmare? Which systems are you most concerned about being compromised?" Depending on the answer, you can educate the executive on your company's risk profile – what systems are most likely to be attacked, who is most likely to attack them, and what techniques are most likely to be used.

From there, you can then tell the executive everything you've done to mitigate that risk – but that you're never 100% secure because all it takes is for one employee to click on the wrong link in the wrong email, and all your security measures go downhill. Next, you can emphasize how everyone in the company has a responsibility to be cybersafe and keep the company secure – including the executive questioning you.

Related Content:

 

About the Author

Kurtis Minder

Co-Founder & CEO, GroupSense

Kurtis Minder is the Co-Founder and CEO of GroupSense where he leads a team of world-class analysts and technologists providing custom cybersecurity intelligence to some of the globe’s top brands. He has more than 20 years of experience in roles spanning operations, design, and business development at companies like Mirage Networks (acquired by Trustwave), Caymas Systems (acquired by Citrix), and Fortinet (IPO). Minder is also a world-renowned ransomware negotiator and was recently profiled in The New Yorker for his work. He has been featured in the media across four continents and has recently been on CNN, The BBC, and CBS, and featured in publications such as Reuters, The Wall Street Journal, The New York Times, Fortune, and The Washington Post about ransomware.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights