Clear communication between CISOs and their boards are key. Here are some of the toughest questions board members ask and strategies to answer them.
Chief information security officers (CISOs) often have trouble communicating ideas to their non-technical executive leaders, according to Kudelski Security. A CISO is a senior-level executive responsible for protecting technologies and information within an organization.
SEE: Cybersecurity in 2018: A roundup of predictions (Tech Pro Research)
Kudelski Security gathered CISOs and CIOs of global enterprises to comprise their Customer Advisory Council. The council conducted a research engagement determining the toughest questions CISOs face from board members, and the best strategies for answering them.
Here are the five hardest questions CISOs face from their boards:
1. Are we secure?
This question was the most common response because it's so broad, said the report. The council recommends figuring out how much the board knows about cybersecurity and fully understanding what the board is asking. Getting familiar with your board's knowledge of security will help you determine the best way to answer, continued the report.
The council's top response strategies were to set expectations, fill in knowledge gaps, communicate the journey, and validate your state of security. Explain that the perfect security plan doesn't exist, then dive into areas of cybersecurity the board isn't as comfortable with, communicate current and long-term goals, before presenting metrics that affirm your present security system.
2. How do we know if we have been breached?
With this question, boards are typically wanting to know how prepared their cybersecurity is to defend against the latest attack strategies, the report noted. Boards are really just wanting assurance.
The council recommends telling a story, outlining a response plan, and using metrics to validate (again) that plan. Use a storyboard to display a previous breach and explain how you've made adjustments since, then overview your current incident response plan, and finally use metrics to support analysis, said the report.
3. How does our security program compare to peers within the same industry?
Kudelski explained that this question is really a way for the board to determine if they are spending the appropriate amount on security.
There are three ways to approach this question. The report suggests using an industry standard framework as a benchmark, directly comparing security spending to peers, or comparing the maturity of different areas in your current program.
4. Do we have enough resources for our cybersecurity program?
This question is just expanding upon the last. Board members want to make sure CISOs have all the tools they need to protect the company, said the council.
The best response strategies are to show how your current program is supporting the organization's mission and goals, demonstrate good stewardship, and directly identify possible roadblocks while providing solutions, said the report.
5. How effective is our security program, and is our current investment strategy aligned to it properly?
The council emphasizes the word "align" in this question, making sure your security is on track with investments.
Proper responses include reinforcing security program strategies, showing cooperation between business objectives and evolving security contexts, and highlighting success of your programs, said the research report.
The big takeaways for tech leaders:
- CISOs often have trouble communicating with board members, especially when responding to tough questions about security.
- The top five hardest questions CISOs face all revolve around affirmation—assuring board members that their cybersecurity is effective.
- How to build a successful career in cybersecurity (free PDF) (TechRepublic)
- Cyber threat intelligence versus business risk intelligence: What you need to know (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Equifax hires Home Depot's CISO to lead security turnaround (ZDNet)
- Security nightmares: These 3 threats keep CISOs up at night (TechRepublic)