[BreachExchange] CISOs: How to Answer the 5 Questions Boards Will Ask You

[Destry Winant]

https://www.darkreading.com/vulnerabilities---threats/cisos-how-to-answer-the-5-questions-boards-will-ask-you/a/d-id/1332914

As boards learn the importance of cybersecurity, certain issues arise
on a regular basis. These tips can help you address them.

In recent years, boards of directors have started to become more aware
that they need to be concerned about cybersecurity. The work of
answering questions about security primarily falls to the CISO.
However, most board members don't "speak cyber," and most CISOs
struggle to provide information that boards look for in a way that
resonates with them, making board communication among the most
challenging and critical responsibilities that CISOs face.

To help CISOs better communicate with boards, Kudelski Security
recently surveyed its Client Advisory Council (CAC), a cybersecurity
think tank comprised of security leaders from global enterprises
including AES Corporation and Blue Cross Blue Shield. The survey found
that the key to helping boards understand cybersecurity is to
understand why they ask the questions they do. To that end, the CAC
report details a strategy to help CISOs plan how to answer the five
most challenging questions they're likely to get asked by board
members.

Question 1: Are we secure?
The question "Are we secure?" is the most common and challenging
question CISOs get from the board. As CISOs know, this is not a simple
"yes" or "no" question, and answering definitively can affect the
security team's credibility.

The key to answering this question is to understand exactly what the
board is asking and how much they already know about cybersecurity.
Was a competitor recently breached? Is a worldwide ransomware attack
underway? Or is the person asking the question new to the board and
simply wants an update on the security posture of the organization?
Understanding the context will help determine the proper metrics to
deliver.

Particularly for new board members, it's important to talk about
security as a journey, showing where the organization is today, where
you want to go, and areas of progress. It's also important to make it
clear that there is no such thing as bulletproof security.

Question 2: How do we know if we've been breached?
When asking this question, boards want to know how well prepared the
organization is to face the latest big attacks, and what the impact
would be if they were targeted. They are likely also wondering how the
company's security program compares with peers and competitors.

This question also comes down to assurance. Boards likely know you
can't guarantee 100% security, so they are seeking confidence from the
CISO that they have plans in place for a fast, effective breach
response.

One way to assure the board that the security team is ready to respond
is by giving an overview of the incident response plan for specific
threats, including how the team has effectively responded to threats
in the past and any steps being taken to reduce dwell time. We also
recommend talking about the cyber insurance policy and any third-party
companies that can be called for response support and remediation.

Question 3: How does our security program compare with industry peers?
Budgets and bottom lines are top of mind for board members, so they
want to know if you're spending more or less on cybersecurity than
peers.

One way to respond is to benchmark your security program's maturity
with an industry standard, such as the NIST Cybersecurity Framework.
Start by communicating how the framework was selected and why it's
best for your enterprise. Then show how the program measures against
this framework, highlighting your starting point and progress toward
the target state. You can also compare your budget with peers, but
this will take some effort because gathering comparative data isn't
easy. You can try using forums, events, research firms, industry
peers, or your internal marketing department. The point to stress is
that spending doesn't necessarily indicate success — tools and
programs must be tailored to protect the crown jewels of an
organization based on the risks they face.

Question 4: Do we have enough resources for our cybersecurity program?
Board members want to know security investments are used wisely and
whether the CISO really needs the resources he or she asks for. This
means they first need to understand what is the "right" amount to
spend on security.

The common approach in answering this question is to demonstrate how
the cybersecurity program supports the organization's mission,
business model, and growth goals. Determine shortfalls in tools,
staff, and external partnerships by looking at the program's current
maturity and associated business risk. This approach is the best bet
for getting approval on funding requests. Also, show the progress
you've made with current resources such as people, processes, and
existing technologies. Try to establish an open dialogue about the
potential ROI in program maturity improvements that additional
resources would bring.

If budget and resource constraints are keeping the security team from
achieving program goals, CISOs should emphasize the progress being
made (or not) with existing resources, and possible solutions. For
example, if it's a skills shortage issue, one solution to suggest is
hiring less-experienced and therefore less-expensive candidates with a
passion to learn.

Question 5: How effective is our security program, and is our
investment properly aligned?
The key to answering this question is to show alignment between the
security program and investment strategy. Although perfect security is
impossible, security programs must constantly evolve to stay ahead of
the latest threats. Reiterate current and target security states for
each element of your program and show how much the team has improved.
Show how supporting resources fit into the security program, where the
gaps are, and what investments are needed.

As board members become more aware of cybersecurity issues and the
potential threats to their organizations, CISOs must be more adept at
understanding what boards need so they can address their questions
clearly and confidently. Today's CISOs can succeed if they embrace a
strategic vision for their program and utilize stories and metrics
that support a true partnership with a shared cybersecurity vision.