Five Questions Every CISO Should Be Able To Answer In The Boardroom

This article was originally published by Forbes on July 10, 2024.

Some organizations may continue to debate whether CISOs should have a seat at the executive table and a voice in the boardroom. However, the fact that the CISO’s position is at the crux of a company’s security posture is undeniable and increasingly important to an organization’s leadership abilities.

Regulatory mandates such as the Security and Exchange Commission’s new cyber incident reporting rules and other regulatory requirements at the federal, state and international levels have raised the stakes on accountability for cyber incidents and the executive levels. The current ransomware epidemic and other attacks have also demonstrated that cyber incidents threaten companies’ operations and reputations.

Regardless of a CISO’s position in the corporate hierarchy, boards are paying more attention to cybersecurity. To put it simply, the biggest question boards should ask company management when it comes to cybersecurity risk is: “Are we OK?”

That, however, is a loaded question. A simple yes or no won’t do. CISOs need to explain to top executives and board members why a company’s security posture is good in a language they understand. They must provide evidence that assets are secure, explain how security is measured and demonstrate how the company’s security posture is evolving.

Answering that one question adequately requires CISOs to answer five crucial questions. The board might not ask these questions explicitly, but addressing them at each meeting can effectively communicate an organization’s cyber risk posture.

1. Where is the proof that our critical assets are secure?
Being prepared to answer this question is an example of how anticipating what the board needs to know can help CISOs improve their performance.

Too often, security leaders have made decisions based on their best guess. Providing proof of security can require combining vulnerability management and exposure management with traditional asset intelligence, which gives you a complete picture of your critical assets. These assets are the ones associated with SEC-relevant business risk, governed by a payment card industry (PCI) mandate, contain sensitive customer data or are a mission-critical part of the supply chain.

Listing your critical assets and identifying which don’t have issues and which do is a powerful thing to take to the board. If security executives want to be treated like other senior execs, like a CFO, they must come armed with empirical evidence and make their case based on evidence-based measures.

2. How is the security of our critical assets trending quarter over quarter?
After identifying critical assets, you need to show whether your security posture is better than last week, last month or last quarter and explain why it’s better—or worse. In the latter case, CISOs can pitch for more resources or a larger budget if they can show that inadequate security results from a lack of resources, people or licenses.

In either case, tracking trends over time encourages CISOs to think more strategically.

3. Can you show us metrics on where we need to invest to enhance critical asset protection?
In addition to showing the organization’s critical assets and identifying those with issues, you need to go deeper into the cause of those issues. For example, you can identify assets that are facing exposure because they’re at the end of life or if they are missing security controls or patch management.

Security executives can also show how many tickets are open and what rate of progress they’re making on them. They can also show where a lack of investment is causing exposure.

4. What are the vulnerability remediation times for assets that support mission-critical operations?
Remediation isn’t just finding and fixing a problem. A crucial question is: How long did it take? Organizations must set parameters for their applications and other assets, establishing target remediation times.

For some assets, 14 days might be a reasonable target, but mission-critical assets may require a much smaller window—four days, three days or even less time. Mean time to remediation (MTTR) is an important KPI for incident response and can ultimately impact a company’s accountability.

5. Where is the evidence to demonstrate that assets subject to regulatory mandates are in compliance?
To provide evidence that assets are in compliance, solutions like configuration management databases (CMDBs) let you tag certain assets as critical, such as anything running Oracle or everything in the cloud. Importing that information or tagging it within an asset intelligence solution allows you to layer the business context atop other measures to offer visibility into the status of critical assets.

In addition to tagging critical assets, you can, for instance, identify all critical assets relative to PCI regulations or tied to financial services at the end of a quarter or fiscal year. Asset intelligence and business-context tagging allow CISOs to fine-tune metrics to specific assets, giving the board a clearer idea of the company’s risk management posture.

Conclusion
No matter where CISOs rank in a company’s hierarchy, they are on the hot seat regarding cybersecurity. The heat increasingly extends to executive leadership and the boardroom.

CISOs who can clearly explain a company’s security posture, how it has evolved and where it needs greater resources can assuage top-level fears over security while demonstrating why security executives deserve a seat at the table.

Share This Post:

LinkedIn