Vulnerabilities / Threats

10/2/2018
10:30 AM
John Hellickson
John Hellickson
Commentary
100%
0%

CISOs: How to Answer the 5 Questions Boards Will Ask You

As boards learn the importance of cybersecurity, certain issues arise on a regular basis. These tips can help you address them.

In recent years, boards of directors have started to become more aware that they need to be concerned about cybersecurity. The work of answering questions about security primarily falls to the CISO. However, most board members don't "speak cyber," and most CISOs struggle to provide information that boards look for in a way that resonates with them, making board communication among the most challenging and critical responsibilities that CISOs face.

To help CISOs better communicate with boards, Kudelski Security recently surveyed its Client Advisory Council (CAC), a cybersecurity think tank comprised of security leaders from global enterprises including AES Corporation and Blue Cross Blue Shield. The survey found that the key to helping boards understand cybersecurity is to understand why they ask the questions they do. To that end, the CAC report details a strategy to help CISOs plan how to answer the five most challenging questions they're likely to get asked by board members.

Question 1: Are we secure?
The question "Are we secure?" is the most common and challenging question CISOs get from the board. As CISOs know, this is not a simple "yes" or "no" question, and answering definitively can affect the security team's credibility.

The key to answering this question is to understand exactly what the board is asking and how much they already know about cybersecurity. Was a competitor recently breached? Is a worldwide ransomware attack underway? Or is the person asking the question new to the board and simply wants an update on the security posture of the organization? Understanding the context will help determine the proper metrics to deliver.

Particularly for new board members, it's important to talk about security as a journey, showing where the organization is today, where you want to go, and areas of progress. It's also important to make it clear that there is no such thing as bulletproof security.

Question 2: How do we know if we've been breached?
When asking this question, boards want to know how well prepared the organization is to face the latest big attacks, and what the impact would be if they were targeted. They are likely also wondering how the company's security program compares with peers and competitors.

This question also comes down to assurance. Boards likely know you can't guarantee 100% security, so they are seeking confidence from the CISO that they have plans in place for a fast, effective breach response. 

One way to assure the board that the security team is ready to respond is by giving an overview of the incident response plan for specific threats, including how the team has effectively responded to threats in the past and any steps being taken to reduce dwell time. We also recommend talking about the cyber insurance policy and any third-party companies that can be called for response support and remediation.

Question 3: How does our security program compare with industry peers?
Budgets and bottom lines are top of mind for board members, so they want to know if you're spending more or less on cybersecurity than peers.

One way to respond is to benchmark your security program's maturity with an industry standard, such as the NIST Cybersecurity Framework. Start by communicating how the framework was selected and why it's best for your enterprise. Then show how the program measures against this framework, highlighting your starting point and progress toward the target state. You can also compare your budget with peers, but this will take some effort because gathering comparative data isn't easy. You can try using forums, events, research firms, industry peers, or your internal marketing department. The point to stress is that spending doesn't necessarily indicate success — tools and programs must be tailored to protect the crown jewels of an organization based on the risks they face.

Question 4: Do we have enough resources for our cybersecurity program?
Board members want to know security investments are used wisely and whether the CISO really needs the resources he or she asks for. This means they first need to understand what is the "right" amount to spend on security.

The common approach in answering this question is to demonstrate how the cybersecurity program supports the organization's mission, business model, and growth goals. Determine shortfalls in tools, staff, and external partnerships by looking at the program's current maturity and associated business risk. This approach is the best bet for getting approval on funding requests. Also, show the progress you've made with current resources such as people, processes, and existing technologies. Try to establish an open dialogue about the potential ROI in program maturity improvements that additional resources would bring.

If budget and resource constraints are keeping the security team from achieving program goals, CISOs should emphasize the progress being made (or not) with existing resources, and possible solutions. For example, if it's a skills shortage issue, one solution to suggest is hiring less-experienced and therefore less-expensive candidates with a passion to learn.

Question 5: How effective is our security program, and is our investment properly aligned?
The key to answering this question is to show alignment between the security program and investment strategy. Although perfect security is impossible, security programs must constantly evolve to stay ahead of the latest threats. Reiterate current and target security states for each element of your program and show how much the team has improved. Show how supporting resources fit into the security program, where the gaps are, and what investments are needed.

As board members become more aware of cybersecurity issues and the potential threats to their organizations, CISOs must be more adept at understanding what boards need so they can address their questions clearly and confidently. Today's CISOs can succeed if they embrace a strategic vision for their program and utilize stories and metrics that support a true partnership with a shared cybersecurity vision.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

John Hellickson has more than 25 years of IT experience, the last two decades focused on security and risk management. He's served as an executive security consultant and trusted partner, providing companies with risk management strategies aligning technology, people, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/2/2018 | 12:30:02 PM
Doesn't Speak Technical
These are some complex questions to answer as they are not so black and white. This becomes increasingly more difficult if the board has a hard time with technical/cyber security industry based terms. Many of the tips in the article are quite helpful. The most helpful in my mind is to be able to tell a story. The isn't a silver bullet so it helps to provide context as to where are the gaps and what is the current POA to fill them.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-1695
PUBLISHED: 2019-02-15
IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177.
CVE-2018-1701
PUBLISHED: 2019-02-15
IBM InfoSphere Information Server 11.7 could allow an authenciated user under specialized conditions to inject commands into the installation process that would execute on the WebSphere Application Server. IBM X-Force ID: 145970.
CVE-2018-1727
PUBLISHED: 2019-02-15
IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 147630.
CVE-2018-1895
PUBLISHED: 2019-02-15
IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ...
CVE-2019-4059
PUBLISHED: 2019-02-15
IBM Rational ClearCase 1.0.0.0 GIT connector does not sufficiently protect the document database password. An attacker could obtain the password and gain unauthorized access to the document database. IBM X-Force ID: 156583.