Question: How should I answer a nontech exec who asks, "How secure are we?"
Kurtis Minder, CEO of GroupSense: Depending on your relationship with your executive team, it might help to qualify the question first. Secure compared to what? Compared to similar companies of focus and size in the industry? Compared to NIST 171? Compared to PCI DSS? In order to measure something like this, it helps to have a reference baseline. Otherwise the answer is opaque and virtually meaningless. Regardless of the answer, it is important to convey that the threat landscape is fluid and security programs need to be also.
You should also use this type of question as an opportunity to educate. Say to the exec: "Before I answer that question, what's your nightmare? Which systems are you most concerned about being compromised?" Depending on the answer, you can educate the executive on your company's risk profile – what systems are most likely to be attacked, who is most likely to attack them, and what techniques are most likely to be used.
From there, you can then tell the executive everything you've done to mitigate that risk – but that you're never 100% secure because all it takes is for one employee to click on the wrong link in the wrong email, and all your security measures go downhill. Next, you can emphasize how everyone in the company has a responsibility to be cybersafe and keep the company secure – including the executive questioning you.
- US State Dept. Shares Insider Tips to Fight Insider Threats
- What Questions Should I Keep in Mind to Improve My Security Metrics?
- 10 Tough Questions CEOs Are Asking CISOs
- How Cybersecurity's Metrics of Misery Fail to Describe Cybercrime Pain