Online Safety Community

8 Tough Questions Every CISO Should Be Ready to Answer

8 Tough Questions Every CISO Should Be Ready to Answer

When a major security incident, such as the recent massive Equifax data breach, grabs headlines, CEOs start asking more questions about data security.

See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’

CISOs need to be thinking about their answers to critical questions the CEO is likely to pose.

Information Security Media Group asked seven security experts what questions they believe CEOs should be asking CISOs, and what information CISOs should arm themselves with to be prepared to provide answers. Following are eight questions and the experts’ suggested responses.

We have been investing in cybersecurity for a few years now. Would you say our organization is secure?

Israel Bryski, vice president, technology risk, Goldman Sachs: To pre-empt this question, the CISO should have a conversation early on with the CEO to determine the organization’s risk appetite. This will allow the CISO to align and prioritize security initiatives accordingly.

We are in the business of information and technology risk management, so the “Are we secure?” question is somewhat misguided. The question should be: “Are we managing risk according to our risk profile?” To answer this, the CISO should be able to easily demonstrate, based on a recent risk assessment, how the various cybersecurity initiatives and projects are in fact reducing risk, shrinking the attack surface of the organization and aligning the security program with the firm’s overall risk profile.

We have a board meeting next week. Can you talk about cybersecurity in a way they will understand?

Mischel Kwon, former director of US-CERT and deputy CISO for the Department of Justice; currently CEO of MKACyber: CISOs should be able to confidently say “absolutely” to this question. They should be able to speak with the board in a very businesslike way and articulate what they are doing with the company’s money and how they are protecting the company and its assets.

The key to being able to speak to the board is to base their program on a business-focused model. That business model shows their capability founded on their maturity, and that maturity is based on the probability of detecting specific types of attacks. These are the type of attacks that are most likely to happen to them, and this is the risk to the business, its goals and its reputation that these attacks bring.

Do you have enough money to do what you need to do?

Tim Youngblood, CISO, McDonald’s: Depending on where CISO sits, this can be a hairy topic. That can be a difficult conversation to say “I’m not getting enough.” It’s not easy if the CIO is in the room.

The best way to answer that is, “We may have current risks we are really well-funded to address, but there may be future risks we’ll need to fund and we still have some work to figure that piece out.”

A CEO is not going to write you a blank check. The CEO is going to look at the CFO and CIO and say, “The CISO needs money. You take it out of your budget and make it happen.” There is not an extra pot of money waiting for anyone, so making the clear case for why it is needed is key.

Is this really worth the investment?

Heath Renfrow, CISO at U.S. Army Medicine: The best thing a CISO can do when asked this question is have multiple options they can present to the CEO. Explain to them: Here’s the full issue. This is the total cost to fix this issue. This is what we believe the cost will be if this issue doesn’t go away and how much it will be should the vulnerability be exploited.

As an example, we didn’t know not know where our protected health Information and personal identifying information resided across all systems when I first got to Army Medicine. It would be a huge HIPAA concern if we got hit on that, or if there was a leak or a violation. It could have cost millions of dollars and many jobs. I tied in the overall cost and broke it down to how much it would be per end-user device to address it and it came out to be an about $3.43 per end-user device. Then I tied in all the results of HIPAA violations in the past few years and the fines associated with them. You get your senior leaders attention real quick with that approach.

Rick Howard, CSO, Palo Alto Networks, adds: Questions like this are sure to arise as corporate leadership attempts to understand the business risk associated with a cyberattack. As a result, CIO/CISOs should be prepared to explain the total cost of a potential breach. Everything from business disruption and loss of customers to consequential legal fees and remediation can rack up the bill more quickly than leadership may realize.

Read More: http://snip.ly/q0zie#https://www.bankinfosecurity.com/8-tough-quest...

Views: 71

Comment

You need to be a member of Online Safety Community to add comments!

Join Online Safety Community

Take our poll!

Take our poll!

Latest Activity

Soujanya Naganuri posted a discussion

Flow of SAP MM and SUS Portal

SAP Material Management (MM) and SAP Supplier Self Service (SUS) and some customizable features of SAP SUS.In the Plan-Driven Procurement with Supplier Integration scenario the SAP SUS is installed and configured with SAP MM/SRM. Technically, in a classic scenario SAP SUS maybe connected with one or more MM and/or SRM back-end systems.PO is sent to SAP SUS system, in which supplier can perform the follow-on procurement process, i.e. PO response, ASN, GR response and invoice response.SAP…See More
18 hours ago
John Robinson posted blog posts
18 hours ago
Emma Miah posted a blog post

Latest Men’s Fashion Trends For Winter

Most people will agree that fashion trends use to fade, but the style is the one thing that is eternal. So, it’s always suggested that you should only follow the fashion trends that actually suits your personality. Winter is coming now it’s time to…See More
22 hours ago
Training Doyens updated an event
Thumbnail

Bitcoin: Fear, Uncertainty, and Doubt (FUD) at 26468 E Walker Dr, Aurora, Colorado 80016-6104

January 30, 2018 from 1pm to 2pm
OVERVIEWBitcoins have gotten much more traction than early detractors and pundits expected. With that reality, what do banks need to do, if anything, to prepare for their existence and surprising acceptance?This session will present the fundamental workings of virtual currencies with an emphasis on bitcoin and the current state of the regulatory front.  We will get your thinking caps energized as to how bankers might approach virtual currencies and some thoughts about what the future might hold…See More
23 hours ago

Forum

Flow of SAP MM and SUS Portal

SAP Material Management (MM) and SAP Supplier Self Service (SUS) and some customizable features of SAP SUS.In the Plan-Driven Procurement with Supplier Integration scenario the SAP SUS is installed…Continue

Tags: sapmmcourse, sapmmonline, sapmm

Started by Soujanya Naganuri 18 hours ago.

PEGA Axis error: Parser already accessed

We have a PEGA frontend, from in which we're keying in double byte characters like japanese and being send to allotted java webservice through axis. this is working best when we ship singlebyte…Continue

Tags: pega_training, pega_online, pega

Started by Soujanya Naganuri Dec 6.

VMware player error on install vmware tools.

 I've installed the last version of VMware player (4.0.2) and created a virtual machine with ubuntu 10.04. However, some operations with …Continue

Tags: training, online, vmware

Started by emmablisa Dec 1.

All About QlikView

QlikViewQlik relies on sophisticated analytics that enables data discovery using an in-memory engine to analyze data for patterns not visible via SQL data structures or queries. The company’s two…Continue

Tags: Safety, Qlikview

Started by nicolewells Nov 25.

Occupational Health and Safety 5 Replies

Health and safety are important aspects of an organisation’s smooth and effective functioning.  Did you know that workplace health & safety injuries cost Australian businesses over $60 billion…Continue

Tags: Safety, and, Health, Occupational

Started by WHS Solutions. Last reply by Tara safe Nov 16.

Badge

Loading…

© 2017   Created by Safety Community.   Powered by

Badges  |  Report an Issue  |  Terms of Service