In the C-Suite, there is often a disconnect between CEOs and CISOs. It’s a technical gap between the roles that many CEOs steer clear of - hesitant to dip their feet in the tech waters lest they fall in over their heads.
Even though CISOs are security professionals, they’re also pivotal members of senior management in many cases. This means that they should be well-aware and constantly up to speed on every aspect of organizational security, especially as it relates to business.
With this in mind, CEOs need to expect their CISOs to answer business-related questions that non-technical people can understand. CEOs need to ask tough questions, expect specific answers framed in a business context and be ready and willing to act decisively if gaps are discovered.
By way of example, here are five tough questions that every CEO should be asking their CISO:
1) How Robust Is Our Cyber-Resilience Program?
How updated is our cyber-resilience strategy, how often is it tested and what kind of resilience drills is it subjected to? What are our exact plans to get up and running following a breach or a ransomware attack? How secure are we from the latest threats right now? How exposed are we to current vulnerabilities? How do possible holes in our security posture potentially affect our business today and going forward
2) What’s Your Most Important Success Metric?
How do you judge and quantify the success or failure of your role in the company? Do we have a baseline that we can monitor over time so that all stakeholders can track progress? How do you explain these baselines to me and – perhaps more importantly – to the hoard in a way they can understand? Do you have the tools to give you all the information and visibility you need?
3) How Are We Managing Digital Supply Chain Risk?
What exactly do we control in our digital supply chain? What do we not control? What is our policy to prevent digital supply chain attacks and mitigate supply chain vulnerabilities? How do we monitor third-party assets and sources that are directly tied into our organization’s website, applications and core IT network? Are we monitoring all partnerships, offerings and any technology that intersects with our company and systems? How far downstream does our supply chain protection reach? Are we also monitoring the third parties of our own third parties?
4) How Are You Working To Make Security a Profit Center?
Do you see your role as purely technical or one of business enablement? How are you aligning your strategic risk profiles and technology to support our business goals - driving and protecting revenue in the most risk-acceptable manner possible? Are you measuring security program success only in terms of security itself – whether or not valuable data is protected? Or does your security strategy enable agility and innovation – helping our business to move faster in a secure manner? Lastly, given the flood of information coming from your network and the wide variety of reports you receive from your security solutions, how do you prioritize your team tasks?
5) How Are You Facilitating a Positive Security Culture Within the Organization?
Are you creating a climate where it’s safe to talk about hard security truths – places where the organization may be exposed and needs to improve? Are you inviting an honest and open discussion about our security strengths and weaknesses? Is our security training effective and quantifiable? How are we preparing our employees to handle phishing and social engineering attacks? Are we just monitoring them or helping them learn to protect the organization actively?
The Bottom Line
There’s really no reason for a gap in CEO-CISO communication. Today, everyone in the organization, from the top-down, is a security stakeholder. This means that all security policies and solutions should be accessible and understandable. Yet, more importantly, cybersecurity should be quantifiable – not based on assumptions but numbers.
Finally, CEOs must internalize the fact that ‘quiet’ is not a security success metric. CISOs may very well be doing their job perfectly when there are no incidents. However, ‘quiet’ can also be the silence before the storm. The time to ask these tough questions is before incidents occur, not in after-action reviews.
