Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

2/20/2020
09:20 AM
Joan Goodchild
Joan Goodchild
Edge Features

10 Tough Questions CEOs Are Asking CISOs

CEOs today are prepared with better questions than 'Are we secure,' and chief information security officers had better be ready to answer.


How Will This Affect Operations?
While certain security tools, technologies, and processes will be essential to risk mitigation, just about every veteran security manager knows they can come at the price of convenience and productivity. How should this be explained to management? Be prepared to make a convincing case when asked why certain sacrifices may be needed.
'If security controls impact the ability to realize business goals, they likely won’t be supported,' Hamm says. 'It’s important to tie the risk with the acceptance of some productivity hurdles. That said, if your control proposal is to 'stop all risk,' you’re going to have a bad time. Think guardrails, not roadblocks, when pitching controls to the business.'
(Continued on next page)

How Will This Affect Operations?

While certain security tools, technologies, and processes will be essential to risk mitigation, just about every veteran security manager knows they can come at the price of convenience and productivity. How should this be explained to management? Be prepared to make a convincing case when asked why certain sacrifices may be needed.

"If security controls impact the ability to realize business goals, they likely won’t be supported," Hamm says. "It’s important to tie the risk with the acceptance of some productivity hurdles. That said, if your control proposal is to 'stop all risk,' you’re going to have a bad time. Think guardrails, not roadblocks, when pitching controls to the business."

(Continued on next page)

So What?

As CISOs increasingly command time with the board and executive management, they are also expected to speak in business language and make the case for security investment in business terms. In other words, don’t enter a meeting ready to spew security jargon and expect less security-minded management to understand why certain risks matter.

"Security as a standalone concept is useless and means drastically different things to different people," says Gigamon CISO Jack Hamm."Being ready to articulate the risk, probability, and impact to the business is the only normalized way we can speak of security."

(Continued on next page)

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio
Previous
2 of 11
Next
Print  | 
More Insights
Flash Poll