Online Safety Community

8 Tough Questions Every CISO Should Be Ready to Answer

8 Tough Questions Every CISO Should Be Ready to Answer

When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security.

See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’

CISOs need to be thinking about their answers to critical questions the CEO is likely to pose.

Information Security Media Group asked seven security experts what questions they believe CEOs should be asking CISOs, and what information CISOs should arm themselves with to be prepared to provide answers. Following are eight questions and the experts’ suggested responses.

We have been investing in cybersecurity for a few years now. Would you say our organization is secure?

Israel Bryski, vice president, technology risk, Goldman Sachs: To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the “Are we secure?” question is somewhat misguided. The question should be: “Are we managing risk according to our risk profile?” To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.

We have a board meeting next week. Can you talk about cybersecurity in a way they will understand?

Mischel Kwon, former director of US-CERT and deputy CISO for the Department of Justice; currently CEO of MKACyber: CISOs should be able to confidently say “absolutely” to this question. They should be able to speak with the board in a very businesslike way and articulate what they are doing with the company’s money and how they are protecting the company and its assets.

The key to being able to speak to the board is to base their program on a business-focused model. That business model shows their capability founded on their maturity, and that maturity is based on the probability of detecting specific types of attacks. These are the type of attacks that are most likely to happen to them, and this is the risk to the business, its goals and its reputation that these attacks bring.

Do you have enough money to do what you need to do?

Tim Youngblood, CISO, McDonald’s: Depending on where CISO sits, this can be a hairy topic. That can be a difficult conversation to say “I’m not getting enough.” It’s not easy if the CIO is in the room.

The best way to answer that is, “We may have current risks we are really well-funded to address, but there may be future risks we’ll need to fund and we still have some work to figure that piece out.”

A CEO is not going to write you a blank check. The CEO is going to look at the CFO and CIO and say, “The CISO needs money. You take it out of your budget and make it happen.” There is not an extra pot of money waiting for anyone, so making the clear case for why it is needed is key.

Is this really worth the investment?

Heath Renfrow, CISO at U.S. Army Medicine: The best thing a CISO can do when asked this question is have multiple options they can present to the CEO. Explain to them: Here’s the full issue. This is the total cost to fix this issue. This is what we believe the cost will be if this issue doesn’t go away and how much it will be should the vulnerability be exploited.

As an example, we didn’t know not know where our protected health Information and personal identifying information resided across all systems when I first got to Army Medicine. It would be a huge HIPAA concern if we got hit on that, or if there was a leak or a violation. It could have cost millions of dollars and many jobs. I tied in the overall cost and broke it down to how much it would be per end-user device to address it and it came out to be an about $3.43 per end-user device. Then I tied in all the results of HIPAA violations in the past few years and the fines associated with them. You get your senior leaders attention real quick with that approach.

Rick Howard, CSO, Palo Alto Networks, adds: Questions like this are sure to arise as corporate leadership attempts to understand the business risk associated with a cyberattack. As a result, CIO/CISOs should be prepared to explain the total cost of a potential breach. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.

Read More: http://snip.ly/q0zie#https://www.bankinfosecurity.com/8-tough-quest...

Views: 20

Comment

You need to be a member of Online Safety Community to add comments!

Join Online Safety Community

Take our poll!

Take our poll!

Latest Activity

kate smith posted blog posts
6 minutes ago
Training Doyens posted events
1 hour ago
John Robinson posted a blog post

Collins: Trump should back effort to resume health subsidy

A key moderate Republican is urging President Donald Trump to support a bipartisan Senate effort to reinstate insurer payments, calling his move to halt the subsidies an immediate threat to millions of Americans who could now…See More
18 hours ago
Adam Fleaming posted a blog post

Who Benefits from the changes, and How it will affect the Retailers and Customers

Credit card surcharge was the bone of contention in an antitrust lawsuit filed 2005. As a result, the judgment in this case, which came in mid-2012, prohibited credit card surcharge in ten States. The implementation of their respective laws is underway in another 12 States.Credit card regulations have traditionally opposed surcharging. Yet, companies have been devising ways by which they have sidestepped merchant rules and have continued to ensure that credit card surcharge gets levied. A kind…See More
19 hours ago

Forum

Occupational Health and Safety 4 Replies

Health and safety are important aspects of an organisation’s smooth and effective functioning.  Did you know that workplace health & safety injuries cost Australian businesses over $60 billion…Continue

Tags: Safety, and, Health, Occupational

Started by WHS Solutions. Last reply by John Robinson 17 hours ago.

Introduction to PEGA-PRPC

Pega/PRPC is a popular rules engine and BPM tool from Pega systems that is gaining good market share among large corporations. Architects and developers build the Pega/PRPC instance while…Continue

Tags: training, course, online, pega

Started by Soujanya Naganuri Oct 6.

Introduction to PEGA-PRPC

Pega/PRPC is a popular rules engine and BPM tool from Pega systems that is gaining good market share among large corporations. Architects and developers build the Pega/PRPC instance while…Continue

Tags: training, course, online, pega

Started by Soujanya Naganuri Oct 6.

Introduction to PEGA-PRPC

Pega/PRPC is a popular rules engine and BPM tool from Pega systems that is gaining good market share among large corporations. Architects and developers build the Pega/PRPC instance while…Continue

Tags: training, course, online, pega

Started by Soujanya Naganuri Oct 6.

Introduction to PEGA-PRPC

Pega/PRPC is a popular rules engine and BPM tool from Pega systems that is gaining good market share among large corporations. Architects and developers build the Pega/PRPC instance while…Continue

Tags: training, course, online, pega

Started by Soujanya Naganuri Oct 6.

Badge

Loading…

© 2017   Created by Safety Community.   Powered by

Badges  |  Report an Issue  |  Terms of Service