Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

05:00 PM
Kurtis Minder
Kurtis Minder
Ask the Experts
Connect Directly

How Should I Answer a Nontech Exec Who Asks, 'How Secure Are We?'

Consider this your opportunity to educate.

Question: How should I answer a nontech exec who asks, "How secure are we?"

Kurtis Minder, CEO of GroupSense: Depending on your relationship with your executive team, it might help to qualify the question first. Secure compared to what? Compared to similar companies of focus and size in the industry? Compared to NIST 171? Compared to PCI DSS? In order to measure something like this, it helps to have a reference baseline. Otherwise the answer is opaque and virtually meaningless. Regardless of the answer, it is important to convey that the threat landscape is fluid and security programs need to be also.

You should also use this type of question as an opportunity to educate. Say to the exec: "Before I answer that question, what's your nightmare? Which systems are you most concerned about being compromised?" Depending on the answer, you can educate the executive on your company's risk profile – what systems are most likely to be attacked, who is most likely to attack them, and what techniques are most likely to be used.

From there, you can then tell the executive everything you've done to mitigate that risk – but that you're never 100% secure because all it takes is for one employee to click on the wrong link in the wrong email, and all your security measures go downhill. Next, you can emphasize how everyone in the company has a responsibility to be cybersafe and keep the company secure – including the executive questioning you.

Related Content:


Kurtis Minder is the co-founder and CEO of GroupSense, an enterprise digital risk protection company. He is also a frequent contributor to the start-up community and serves as an advisor and mentor to growing companies. He arrived at GroupSense after more than 20 years in ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/3/2020 | 4:57:12 AM
Resilience is also an important question
Executives should also ask about the readiness of the organization to deal with a successful attack; limiting the impact of an attack, ability to recover data and service in a reasonable time, etc.
User Rank: Apprentice
3/1/2020 | 3:54:59 AM
You will never be secure
I think that we will never be secure. Even famous companies and corporations faces big security issues. I think thatwe can only reduce the risk but necver be 100% sure that we are safe.
User Rank: Ninja
2/29/2020 | 11:47:11 AM
Great Article!
I found this article to be a breath of fresh air. Outside of the technical weeds we find ourselves in for many security articles, this one takes a different perspective and asks a question that I've been asked by executives countless times. 

It is a pragmatic approach to not spreading FUD but instead normalize the conversation between security and executive leadership. If we are not speaking the same language it will be nearly impossible to gain an understanding between the two components.
Post-Pandemic Presentation Plans

Source: J4vv4D

We'd love to hear your ideas, too! Add them the Comments section, below.

What security-related videos have made you laugh? Let us know! Send them to [email protected].

Name That Toon: The Lights Are On ...
Flash Poll