Online Safety Community

8 Tough Questions Every CISO Should Be Ready to Answer

8 Tough Questions Every CISO Should Be Ready to Answer

When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security.

See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’

CISOs need to be thinking about their answers to critical questions the CEO is likely to pose.

Information Security Media Group asked seven security experts what questions they believe CEOs should be asking CISOs, and what information CISOs should arm themselves with to be prepared to provide answers. Following are eight questions and the experts’ suggested responses.

We have been investing in cybersecurity for a few years now. Would you say our organization is secure?

Israel Bryski, vice president, technology risk, Goldman Sachs: To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the “Are we secure?” question is somewhat misguided. The question should be: “Are we managing risk according to our risk profile?” To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.

We have a board meeting next week. Can you talk about cybersecurity in a way they will understand?

Mischel Kwon, former director of US-CERT and deputy CISO for the Department of Justice; currently CEO of MKACyber: CISOs should be able to confidently say “absolutely” to this question. They should be able to speak with the board in a very businesslike way and articulate what they are doing with the company’s money and how they are protecting the company and its assets.

The key to being able to speak to the board is to base their program on a business-focused model. That business model shows their capability founded on their maturity, and that maturity is based on the probability of detecting specific types of attacks. These are the type of attacks that are most likely to happen to them, and this is the risk to the business, its goals and its reputation that these attacks bring.

Do you have enough money to do what you need to do?

Tim Youngblood, CISO, McDonald’s: Depending on where CISO sits, this can be a hairy topic. That can be a difficult conversation to say “I’m not getting enough.” It’s not easy if the CIO is in the room.

The best way to answer that is, “We may have current risks we are really well-funded to address, but there may be future risks we’ll need to fund and we still have some work to figure that piece out.”

A CEO is not going to write you a blank check. The CEO is going to look at the CFO and CIO and say, “The CISO needs money. You take it out of your budget and make it happen.” There is not an extra pot of money waiting for anyone, so making the clear case for why it is needed is key.

Is this really worth the investment?

Heath Renfrow, CISO at U.S. Army Medicine: The best thing a CISO can do when asked this question is have multiple options they can present to the CEO. Explain to them: Here’s the full issue. This is the total cost to fix this issue. This is what we believe the cost will be if this issue doesn’t go away and how much it will be should the vulnerability be exploited.

As an example, we didn’t know not know where our protected health Information and personal identifying information resided across all systems when I first got to Army Medicine. It would be a huge HIPAA concern if we got hit on that, or if there was a leak or a violation. It could have cost millions of dollars and many jobs. I tied in the overall cost and broke it down to how much it would be per end-user device to address it and it came out to be an about $3.43 per end-user device. Then I tied in all the results of HIPAA violations in the past few years and the fines associated with them. You get your senior leaders attention real quick with that approach.

Rick Howard, CSO, Palo Alto Networks, adds: Questions like this are sure to arise as corporate leadership attempts to understand the business risk associated with a cyberattack. As a result, CIO/CISOs should be prepared to explain the total cost of a potential breach. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.

Read More:

Views: 115


You need to be a member of Online Safety Community to add comments!

Join Online Safety Community

Take our poll!

Take our poll!

Latest Activity

Jam Blanco posted a blog post

Top Cal/OSHA Violations and How to Avoid Them

California’s Division of Occupational Safety and Health or Cal/OSHA is responsible for enforcing workplace safety standards in the state. According to the laws of the state, all employers have to have an effective and running IIPP or Injury and Illness Prevention Program in place that can prevent health and safety issues in the workplace. This includes but is not limited to plans for workplace hazards, safety communication, and safety training programs.…See More
4 hours ago
Mark Nilson posted events
7 hours ago
Adam Fleaming posted a blog post

Good Documentation Practices Relating to USP

Good Documentation Practices (GDP) is a quintessential part of regulated manufacturing and laboratory environments. GDP has to be adhered to in the regulated industries because it is the only truly authentic method of ensuring that documents are audited and accounted for. GDP is also essential to keep track of and maintain control at all stages of the process and the product. GDP is thus a core requirement of a thoroughly developed Quality System. US Pharmacopeia (USP) has laid out a series of…See More
8 hours ago
Training Doyens posted events
12 hours ago


Understanding Data Parallelism in MapReduce

In order to understand the goals of MapReduce, it is important to realize for which scenarios MapReduce is optimized. The MapReduce programming model is created for processing data which requires…Continue

Tags: program, Implementation, Mapreduce

Started by gracylayla Mar 14.

Automation Anywhere. How do I pick a value from dropdown

Automation Anywhere. How do I pick a value from dropdown. I tried 'set text' from a copied variable. Its very slow, and also doesnt…Continue

Tags: anywhere, automation

Started by emmablisa Mar 9.

TensorFlow serving vs TensorFlow service

I have a question regarding the difference between TensorFlow Serving versus TensorFlow service. (Sorry that I'm not familiar with this at all.)I found TensorFlow serving's definition, which is "…Continue

Tags: training, online, tensorflow

Started by emmablisa Feb 27.

Proper maintenance for Hi Vis clothing

Can you tell me how to properly take care of Hi Vis jackets? I recently purchased a few ones from this…Continue

Started by Lily Osborn Feb 25.

Forklift Operator Requirements 1 Reply

At our company we have a lot of forklift traffic that has to share the same aisles as our pedestrians. We limit the speed of our lifts to 3 mph.  I am wanting to find out what requirements for…Continue

Started by Rick Briggs. Last reply by Tony Ferraro Feb 25.



© 2018   Created by Safety Community.   Powered by

Badges  |  Report an Issue  |  Terms of Service