Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
John Hellickson
John Hellickson

CISOs: How to Answer the 5 Questions Boards Will Ask You

As boards learn the importance of cybersecurity, certain issues arise on a regular basis. These tips can help you address them.

In recent years, boards of directors have started to become more aware that they need to be concerned about cybersecurity. The work of answering questions about security primarily falls to the CISO. However, most board members don't "speak cyber," and most CISOs struggle to provide information that boards look for in a way that resonates with them, making board communication among the most challenging and critical responsibilities that CISOs face.

To help CISOs better communicate with boards, Kudelski Security recently surveyed its Client Advisory Council (CAC), a cybersecurity think tank comprised of security leaders from global enterprises including AES Corporation and Blue Cross Blue Shield. The survey found that the key to helping boards understand cybersecurity is to understand why they ask the questions they do. To that end, the CAC report details a strategy to help CISOs plan how to answer the five most challenging questions they're likely to get asked by board members.

Question 1: Are we secure?
The question "Are we secure?" is the most common and challenging question CISOs get from the board. As CISOs know, this is not a simple "yes" or "no" question, and answering definitively can affect the security team's credibility.

The key to answering this question is to understand exactly what the board is asking and how much they already know about cybersecurity. Was a competitor recently breached? Is a worldwide ransomware attack underway? Or is the person asking the question new to the board and simply wants an update on the security posture of the organization? Understanding the context will help determine the proper metrics to deliver.

Particularly for new board members, it's important to talk about security as a journey, showing where the organization is today, where you want to go, and areas of progress. It's also important to make it clear that there is no such thing as bulletproof security.

Question 2: How do we know if we've been breached?
When asking this question, boards want to know how well prepared the organization is to face the latest big attacks, and what the impact would be if they were targeted. They are likely also wondering how the company's security program compares with peers and competitors.

This question also comes down to assurance. Boards likely know you can't guarantee 100% security, so they are seeking confidence from the CISO that they have plans in place for a fast, effective breach response. 

One way to assure the board that the security team is ready to respond is by giving an overview of the incident response plan for specific threats, including how the team has effectively responded to threats in the past and any steps being taken to reduce dwell time. We also recommend talking about the cyber insurance policy and any third-party companies that can be called for response support and remediation.

Question 3: How does our security program compare with industry peers?
Budgets and bottom lines are top of mind for board members, so they want to know if you're spending more or less on cybersecurity than peers.

One way to respond is to benchmark your security program's maturity with an industry standard, such as the NIST Cybersecurity Framework. Start by communicating how the framework was selected and why it's best for your enterprise. Then show how the program measures against this framework, highlighting your starting point and progress toward the target state. You can also compare your budget with peers, but this will take some effort because gathering comparative data isn't easy. You can try using forums, events, research firms, industry peers, or your internal marketing department. The point to stress is that spending doesn't necessarily indicate success — tools and programs must be tailored to protect the crown jewels of an organization based on the risks they face.

Question 4: Do we have enough resources for our cybersecurity program?
Board members want to know security investments are used wisely and whether the CISO really needs the resources he or she asks for. This means they first need to understand what is the "right" amount to spend on security.

The common approach in answering this question is to demonstrate how the cybersecurity program supports the organization's mission, business model, and growth goals. Determine shortfalls in tools, staff, and external partnerships by looking at the program's current maturity and associated business risk. This approach is the best bet for getting approval on funding requests. Also, show the progress you've made with current resources such as people, processes, and existing technologies. Try to establish an open dialogue about the potential ROI in program maturity improvements that additional resources would bring.

If budget and resource constraints are keeping the security team from achieving program goals, CISOs should emphasize the progress being made (or not) with existing resources, and possible solutions. For example, if it's a skills shortage issue, one solution to suggest is hiring less-experienced and therefore less-expensive candidates with a passion to learn.

Question 5: How effective is our security program, and is our investment properly aligned?
The key to answering this question is to show alignment between the security program and investment strategy. Although perfect security is impossible, security programs must constantly evolve to stay ahead of the latest threats. Reiterate current and target security states for each element of your program and show how much the team has improved. Show how supporting resources fit into the security program, where the gaps are, and what investments are needed.

As board members become more aware of cybersecurity issues and the potential threats to their organizations, CISOs must be more adept at understanding what boards need so they can address their questions clearly and confidently. Today's CISOs can succeed if they embrace a strategic vision for their program and utilize stories and metrics that support a true partnership with a shared cybersecurity vision.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

John Hellickson has more than 25 years of IT experience, the last two decades focused on security and risk management. He's served as an executive security consultant and trusted partner, providing companies with risk management strategies aligning technology, people, and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
10/2/2018 | 12:30:02 PM
Doesn't Speak Technical
These are some complex questions to answer as they are not so black and white. This becomes increasingly more difficult if the board has a hard time with technical/cyber security industry based terms. Many of the tips in the article are quite helpful. The most helpful in my mind is to be able to tell a story. The isn't a silver bullet so it helps to provide context as to where are the gaps and what is the current POA to fill them.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight Transaction...
PUBLISHED: 2020-10-20
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking ...
PUBLISHED: 2020-10-20
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
PUBLISHED: 2020-10-20
DomainMOD before 4.14.0 uses MD5 without a salt for password storage.
PUBLISHED: 2020-10-20
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a ...