Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
10 Tough Questions CEOs Are Asking CISOs
CEOs today are prepared with better questions than 'Are we secure,' and chief information security officers had better be ready to answer.
Figure 1:
CISOs are now getting plenty of face time with executive management: In fact, a study from ISC2 finds 43% of CISOs report to the CEO and 14% report to the board directly. And those dynamics are expected to shift even more. According to Gartner, 100% of CISOs at large enterprises are on pace to report to their boards on cybersecurity and technology risk at least annually.
With security in the spotlight more often, the ability to answer a common question like "Are we secure?" is no longer sufficient – and it really does little to convey the much larger picture of security efforts.
What questions should today's CISOs be prepping to answer for their next executive meeting? The Edge asked a half-dozen security pros to weigh in on some of the most essential queries security managers should be ready to answer. Read on.
So What?
As CISOs increasingly command time with the board and executive management, they are also expected to speak in business language and make the case for security investment in business terms. In other words, don’t enter a meeting ready to spew security jargon and expect less security-minded management to understand why certain risks matter.
"Security as a standalone concept is useless and means drastically different things to different people," says Gigamon CISO Jack Hamm."Being ready to articulate the risk, probability, and impact to the business is the only normalized way we can speak of security."
Figure 4:
How Will This Affect Operations?
While certain security tools, technologies, and processes will be essential to risk mitigation, just about every veteran security manager knows they can come at the price of convenience and productivity. How should this be explained to management? Be prepared to make a convincing case when asked why certain sacrifices may be needed.
"If security controls impact the ability to realize business goals, they likely won’t be supported," Hamm says. "It’s important to tie the risk with the acceptance of some productivity hurdles. That said, if your control proposal is to 'stop all risk,' you’re going to have a bad time. Think guardrails, not roadblocks, when pitching controls to the business."
Figure 5:
Are We Protected Against a Breach?
Many business executives think having a CISO will "unequivocally" prevent breaches from occurring, says James Nelson, vice president of information security at Illumio. "Unfortunately, this is the wrong way to think about this challenge," he says.
Faced with this question, CISOs should be prepared to explain that security is a holistic, ongoing, organizationwide effort and list the different factors that will help prevent (but not guarantee) a breach from occurring.
"The primary goal of security leaders today should be to help his or her organization to be successful through security. It requires technical expertise, stakeholder management, political acumen, communication skills, and more to do the CISO job well," says Nelson.
"For CISOs, this is one of those 'keep-you-up-at night' questions," adds Ed Bellis, CTO and co-founder of Kenna Security and former CISO for Orbitz. "The Equifax breach is the poster child for this, but apply the thinking to your company or organization. Where are your biggest blind spots, and what would it take to eliminate them?"
Figure 6:
How Did This Happen?
Despite best efforts (including having a CISO on board), breaches and other security incidents do happen. It's a reality for any veteran security manager. When it does occur, be prepared to answer why it happened and what lessons have been learned.
"Incidents and breaches need a bad guy; you usually can’t catch them, so the CISO is the next logical recipient of the label," Gigamon's Hamm says. "Be ready to articulate the risk that 'we' accepted when we chose the controls, the budget, and our tolerance level. Security is a team sport. Remind the CEO that we don't have a magic security wand to ward off bad guys."
Figure 7:
How Do You Measure Success?
CEOs are familiar with the metrics that CMOs, CFOs, and sales leaders are held to, but what about the CISO?
"Tactically speaking, CISOs should be measured on their ability to monitor the effectiveness of a security program as a whole and whether or not valuable data is protected, but they should also be measured on their ability to enable the business to move faster in a secure manner," Illumio's Nelson says. "Instead of thinking about security as a blocker for innovation, measure CISO performance on its ability to enable agility and innovation within a company."
Figure 8:
How Do We Create a Security Culture at Our Organization?
Most CISOs will agree that a culture of security throughout an organization keeps businesses most secure. Security culture means different things to different leaders, but it generally means security is a priority at all levels of the business. However, a survey from ISACA finds that nine in 10 enterprises said they have a gap between the security culture they want to have and the one they have in place.
"Creating a security culture starts with the board and the CEO. Above all, they must create an atmosphere where it is safe to tell the truth. This applies especially to the hard truths about where the organization needs to improve," says Leo Taddeo, CISO of Cyxtera Federal Group. "Without an honest and open discussion about the strengths and weaknesses within an enterprise, no amount of security spending or staffing will be able to effectively mitigate today's complex cyber-risks."
Figure 9:
Where Do We Stand on (Insert Latest Security Breach Headline Here)?
When a headline-making breach occurs, executive leadership will want to know how relevant it is for their business.
"As a former CISO, I can tell you that we’ve all heard this question, probably way more than we want to," Kenna Security's Bellis says. "Whether it’s the latest breach in the news, a new vulnerability with a logo, or an article in The Wall Street Journal about supply chain risks, this is the question CISOs and their teams often have to scramble to answer. The key to answering this question quickly and getting back to business is having data about your organization within reach. This could be through a data warehouse, a commercial platform, or something homegrown."
Figure 10:
Can I be Hacked Like Jeff Bezos Was?
Like breaches that impact big businesses, high-profile individuals being hit by breaches makes the headlines, too. Most recently, Amazon founder and CEO Jeff Bezos was a target of hackers. But regardless of who is impacted, the answer to this question is unequivocally "yes," says Aaron Turner, president and CSO of HighSide, a security technology company.
"Bezos has access to some of the best cybersecurity professionals in the world," he says. "He has a dedicated team who looks after his physical and cyber protection. If this type of attack can be successful with Bezos as the target, then nearly anyone is just as vulnerable -- probably more so because most don't have the cyber protection resources Bezos does."
The takeaway: Celebrity hacking incidents are a good opportunity to talk about holes in your own executive security protections.
Figure 11:
How Can Security Help Grow Business Revenue?
Security must be able to demonstrate it is more than a cost center, says Stan Lowe, global CISO for Zscaler and former Department of Veterans Affairs CISO. Security managers must recognize (and communicate) that the role is no longer technical but one of business enablement.
"Stop thinking like the traditional security guy," Lowe says. "We have a reputation among our business of putting the 'no' in innovation. Work with your business to determine their needs and align your strategic risk profiles and technology to support those business goals. Have the answers on how you're going to enable your business units to use technology to drive and protect revenue in the most risk-acceptable manner possible."
Figure 12:
Where Is the "Biggest-Bang-For-Our-Buck" Opportunity?
CISOs are also required to find ways to cut costs and justify security investments.
"Think about what project or process you could implement that could greatly reduce your overall risk or attack surface with a minimal amount of effort or spend," Kenna Security's Bellis says. "If answered another way, what’s the one thing you wish you could do across your company to lower risk? Implement [multifactor authentication] across all users? Automate your patch management process?"
Read more about:
2020About the Author
You May Also Like