Vulnerabilities / Threats

10/2/2018
10:30 AM
John Hellickson
John Hellickson
Commentary
100%
0%

CISOs: How to Answer the 5 Questions Boards Will Ask You

As boards learn the importance of cybersecurity, certain issues arise on a regular basis. These tips can help you address them.

In recent years, boards of directors have started to become more aware that they need to be concerned about cybersecurity. The work of answering questions about security primarily falls to the CISO. However, most board members don't "speak cyber," and most CISOs struggle to provide information that boards look for in a way that resonates with them, making board communication among the most challenging and critical responsibilities that CISOs face.

To help CISOs better communicate with boards, Kudelski Security recently surveyed its Client Advisory Council (CAC), a cybersecurity think tank comprised of security leaders from global enterprises including AES Corporation and Blue Cross Blue Shield. The survey found that the key to helping boards understand cybersecurity is to understand why they ask the questions they do. To that end, the CAC report details a strategy to help CISOs plan how to answer the five most challenging questions they're likely to get asked by board members.

Question 1: Are we secure?
The question "Are we secure?" is the most common and challenging question CISOs get from the board. As CISOs know, this is not a simple "yes" or "no" question, and answering definitively can affect the security team's credibility.

The key to answering this question is to understand exactly what the board is asking and how much they already know about cybersecurity. Was a competitor recently breached? Is a worldwide ransomware attack underway? Or is the person asking the question new to the board and simply wants an update on the security posture of the organization? Understanding the context will help determine the proper metrics to deliver.

Particularly for new board members, it's important to talk about security as a journey, showing where the organization is today, where you want to go, and areas of progress. It's also important to make it clear that there is no such thing as bulletproof security.

Question 2: How do we know if we've been breached?
When asking this question, boards want to know how well prepared the organization is to face the latest big attacks, and what the impact would be if they were targeted. They are likely also wondering how the company's security program compares with peers and competitors.

This question also comes down to assurance. Boards likely know you can't guarantee 100% security, so they are seeking confidence from the CISO that they have plans in place for a fast, effective breach response. 

One way to assure the board that the security team is ready to respond is by giving an overview of the incident response plan for specific threats, including how the team has effectively responded to threats in the past and any steps being taken to reduce dwell time. We also recommend talking about the cyber insurance policy and any third-party companies that can be called for response support and remediation.

Question 3: How does our security program compare with industry peers?
Budgets and bottom lines are top of mind for board members, so they want to know if you're spending more or less on cybersecurity than peers.

One way to respond is to benchmark your security program's maturity with an industry standard, such as the NIST Cybersecurity Framework. Start by communicating how the framework was selected and why it's best for your enterprise. Then show how the program measures against this framework, highlighting your starting point and progress toward the target state. You can also compare your budget with peers, but this will take some effort because gathering comparative data isn't easy. You can try using forums, events, research firms, industry peers, or your internal marketing department. The point to stress is that spending doesn't necessarily indicate success — tools and programs must be tailored to protect the crown jewels of an organization based on the risks they face.

Question 4: Do we have enough resources for our cybersecurity program?
Board members want to know security investments are used wisely and whether the CISO really needs the resources he or she asks for. This means they first need to understand what is the "right" amount to spend on security.

The common approach in answering this question is to demonstrate how the cybersecurity program supports the organization's mission, business model, and growth goals. Determine shortfalls in tools, staff, and external partnerships by looking at the program's current maturity and associated business risk. This approach is the best bet for getting approval on funding requests. Also, show the progress you've made with current resources such as people, processes, and existing technologies. Try to establish an open dialogue about the potential ROI in program maturity improvements that additional resources would bring.

If budget and resource constraints are keeping the security team from achieving program goals, CISOs should emphasize the progress being made (or not) with existing resources, and possible solutions. For example, if it's a skills shortage issue, one solution to suggest is hiring less-experienced and therefore less-expensive candidates with a passion to learn.

Question 5: How effective is our security program, and is our investment properly aligned?
The key to answering this question is to show alignment between the security program and investment strategy. Although perfect security is impossible, security programs must constantly evolve to stay ahead of the latest threats. Reiterate current and target security states for each element of your program and show how much the team has improved. Show how supporting resources fit into the security program, where the gaps are, and what investments are needed.

As board members become more aware of cybersecurity issues and the potential threats to their organizations, CISOs must be more adept at understanding what boards need so they can address their questions clearly and confidently. Today's CISOs can succeed if they embrace a strategic vision for their program and utilize stories and metrics that support a true partnership with a shared cybersecurity vision.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

John Hellickson has more than 25 years of IT experience, the last two decades focused on security and risk management. He's served as an executive security consultant and trusted partner, providing companies with risk management strategies aligning technology, people, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/2/2018 | 12:30:02 PM
Doesn't Speak Technical
These are some complex questions to answer as they are not so black and white. This becomes increasingly more difficult if the board has a hard time with technical/cyber security industry based terms. Many of the tips in the article are quite helpful. The most helpful in my mind is to be able to tell a story. The isn't a silver bullet so it helps to provide context as to where are the gaps and what is the current POA to fill them.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.