Online Safety Community

8 Tough Questions Every CISO Should Be Ready to Answer

8 Tough Questions Every CISO Should Be Ready to Answer

When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security.

See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’

CISOs need to be thinking about their answers to critical questions the CEO is likely to pose.

Information Security Media Group asked seven security experts what questions they believe CEOs should be asking CISOs, and what information CISOs should arm themselves with to be prepared to provide answers. Following are eight questions and the experts’ suggested responses.

We have been investing in cybersecurity for a few years now. Would you say our organization is secure?

Israel Bryski, vice president, technology risk, Goldman Sachs: To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the “Are we secure?” question is somewhat misguided. The question should be: “Are we managing risk according to our risk profile?” To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.

We have a board meeting next week. Can you talk about cybersecurity in a way they will understand?

Mischel Kwon, former director of US-CERT and deputy CISO for the Department of Justice; currently CEO of MKACyber: CISOs should be able to confidently say “absolutely” to this question. They should be able to speak with the board in a very businesslike way and articulate what they are doing with the company’s money and how they are protecting the company and its assets.

The key to being able to speak to the board is to base their program on a business-focused model. That business model shows their capability founded on their maturity, and that maturity is based on the probability of detecting specific types of attacks. These are the type of attacks that are most likely to happen to them, and this is the risk to the business, its goals and its reputation that these attacks bring.

Do you have enough money to do what you need to do?

Tim Youngblood, CISO, McDonald’s: Depending on where CISO sits, this can be a hairy topic. That can be a difficult conversation to say “I’m not getting enough.” It’s not easy if the CIO is in the room.

The best way to answer that is, “We may have current risks we are really well-funded to address, but there may be future risks we’ll need to fund and we still have some work to figure that piece out.”

A CEO is not going to write you a blank check. The CEO is going to look at the CFO and CIO and say, “The CISO needs money. You take it out of your budget and make it happen.” There is not an extra pot of money waiting for anyone, so making the clear case for why it is needed is key.

Is this really worth the investment?

Heath Renfrow, CISO at U.S. Army Medicine: The best thing a CISO can do when asked this question is have multiple options they can present to the CEO. Explain to them: Here’s the full issue. This is the total cost to fix this issue. This is what we believe the cost will be if this issue doesn’t go away and how much it will be should the vulnerability be exploited.

As an example, we didn’t know not know where our protected health Information and personal identifying information resided across all systems when I first got to Army Medicine. It would be a huge HIPAA concern if we got hit on that, or if there was a leak or a violation. It could have cost millions of dollars and many jobs. I tied in the overall cost and broke it down to how much it would be per end-user device to address it and it came out to be an about $3.43 per end-user device. Then I tied in all the results of HIPAA violations in the past few years and the fines associated with them. You get your senior leaders attention real quick with that approach.

Rick Howard, CSO, Palo Alto Networks, adds: Questions like this are sure to arise as corporate leadership attempts to understand the business risk associated with a cyberattack. As a result, CIO/CISOs should be prepared to explain the total cost of a potential breach. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.

Read More: http://snip.ly/q0zie#https://www.bankinfosecurity.com/8-tough-quest...

Views: 126

Comment

You need to be a member of Online Safety Community to add comments!

Join Online Safety Community

Take our poll!

Take our poll!

Latest Activity

John Robinson posted events
11 hours ago
Mark Nilson posted events
12 hours ago
Nakul Pratap added a discussion to the group Certification and Training
Thumbnail

Enroll Our Nebosh Course in Saudi Arabia Becomes a professional safety officer

Green World Group is an repeated Safety training institute in Saudi Arabia offered Nebosh Course in Saudi Arabia. We provide many safety training courses like IOSH, Safety Diploma, and many more safety course in Saudi Arabia.A NEBOSH qualification Course offers much better recognition from organizations. Every year, more than 35, 000 persons doing work in an array of alternative sectors take these in the world…See More
13 hours ago
Nakul Pratap joined Safety Community's group
13 hours ago

Forum

5 TECHNOLOGY-BASED LONE WORKER SAFETY SOLUTIONS

ABOUT 75% OF EMPLOYEES IN NORTH AMERICA ARE MOBILE WORKERS. ADVANCES IN COMMUNICATIONS TECHNOLOGY MEANS THESE WORKERS CAN WORK ANYWHERE AT ANY TIME. THESE NEW TECHNOLOGIES ALSO MEAN THESE MOBILE…Continue

Tags: Solutions, People, IoT, Monitoring, Remote

Started by Jen McDade May 31.

Road Safety Solutions 14 Replies

The Road Safety Signs ,Barriers,Humps,Hazard Markers and Visual Warnings are some of the important marks to be observed. Signs such as "keep left",stop, "give way" should not be casually treated.…Continue

Tags: safety, gear, wear, Equipment, &

Started by Enna Henry. Last reply by Jen McDade May 31.

Remote Monitoring

Get "Safe Assets and Sound Productivity" Through Remote Monitoring.Visit:…Continue

Tags: Solutions, People, IoT, Monitoring, Remote

Started by Jen McDade May 23.

Python Condition Objects Tutorial in 2018 1 Reply

If you have knowledge of other programming languages, then you would know the importance of conditional statements. Conditional statements are required for taking decisions. Whenever we operate the…Continue

Tags: course, certification, training, languages, programming

Started by Elena Lauren. Last reply by Jim Chesters May 15.

Power BI Visualization Types

Visualizations in Power BI displays the visual insights from a data. In power bi service a visual can be pinned from reports to create dashboards. Visuals are used in reports.List of visualizations…Continue

Tags: COURSE, TRAINING, BI, POWER

Started by Azharuddin May 15.

Badge

Loading…

© 2018   Created by Safety Community.   Powered by

Badges  |  Report an Issue  |  Terms of Service