The 6 Cybersecurity Questions Your CEO Wants Answered
What is a CISO’s top priority? A PWC and Harvard Business Review study asked executives what they thought it should be, both now and in three years.
According to survey participants, today’s CISOs should be focused on building and maintaining threat-resistant systems and identifying potential external threat factors. In three years, the top priority is building an organization-wide cybersecurity culture.
That shift from more tactical to strategic and executive-facing functions will require a corresponding shift in approach, and it starts at the top. Every answer to every question from your CEO is an opportunity to shape the culture in your organization.
By taking a risk-based vulnerability management (RBVM) approach to answering these questions, CISOs can deliver more strategic value and encourage executives to ask better questions.
Here are six of the most common questions CEOs ask and how CISOs can answer them with a risk-based approach that sets new stakes for your cybersecurity culture.
1. Where do we stand on [insert latest security breach headline here]? Are we protected against this happening to us?
As a former CISO, I know we’ve ALL heard this question, probably way more than we want to. Whether it’s the latest breach in the news, a new vulnerability with a logo, or an article in the Wall Street Journal about supply chain risks, this is the question CISOs and their teams often have to scramble to answer.
The key to answering this question quickly and getting back to business is having data about your organization within reach. This could be through a data warehouse, a commercial platform, or something home-grown.
2. How does our security risk compare to our competitors and peers?
Like it or not, every exec and board member wants to know the answer to this question. I attribute this to a lack of ground truth information in our industry, which means the executive management team will want to understand the next best thing for how they should measure their own efforts.
Having access to industry benchmarking and understanding where your peers are is obviously key to answering this question. Participating in industry focused organizations such as the ISACs as well as a view into benchmarking features of your risk management tools allow you to quickly address these.
3. What are some of the most likely security issues to affect us? What security issues would have the biggest impact on our business if they were to occur?
These questions are about gleaning an understanding of security risk through the likelihood and impact of any given event. If your CEO is asking you these questions, you’re in a more mature state than most, so kudos to you for building a risk-based culture.
Using that risk-based approach, you can convey which vulnerabilities are most likely to be exploited and your risk tolerance for each based on how important a system is.
4. Where is the “biggest bang for our buck” opportunity to lower security risk across our organization?
Think about what project or process you could implement that could greatly reduce your overall risk or attack surface with a minimal amount of effort or spend.
Answered another way, what’s the one thing you wish you could do across your company to lower risk? Implement MFA across all users? Automate your patch management process? Now’s the chance to make your case.
5. Are there any areas of security spend that would be better spent elsewhere?
Consider where you have legacy implementation of controls where the cost to maintain is far outweighing the actual risk reduction. Given the changes in the industry over the last several years, are there cheaper or simpler solutions that would effectively do the same job or better?
6. Where are our biggest “known unknowns” in security? What would it take for us to eliminate those?
For CISOs, this is one of those “keep you up at night” questions. The Equifax breach is the poster child for this, but apply the thinking to your company or organization. Where are your biggest blind spots and what would it take to eliminate them?
What CEOs actually want to know
Ultimately, what your CEO and board want to know is “Are we secure?” It’s a common question. Of course as security professionals, we know the answer to this isn’t binary.
But as we’ve discussed, when talking to your CEO or board, try to steer the conversation to a risk-based answer grounded in data. Where do you currently stand, where are you going, and how long and how much will it take to get there?
Looking for a better way to remediate? Risk-based vulnerability management is your answer. Get a demo today.