Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
John Hellickson
John Hellickson

CISOs: How to Answer the 5 Questions Boards Will Ask You

As boards learn the importance of cybersecurity, certain issues arise on a regular basis. These tips can help you address them.

In recent years, boards of directors have started to become more aware that they need to be concerned about cybersecurity. The work of answering questions about security primarily falls to the CISO. However, most board members don't "speak cyber," and most CISOs struggle to provide information that boards look for in a way that resonates with them, making board communication among the most challenging and critical responsibilities that CISOs face.

To help CISOs better communicate with boards, Kudelski Security recently surveyed its Client Advisory Council (CAC), a cybersecurity think tank comprised of security leaders from global enterprises including AES Corporation and Blue Cross Blue Shield. The survey found that the key to helping boards understand cybersecurity is to understand why they ask the questions they do. To that end, the CAC report details a strategy to help CISOs plan how to answer the five most challenging questions they're likely to get asked by board members.

Question 1: Are we secure?
The question "Are we secure?" is the most common and challenging question CISOs get from the board. As CISOs know, this is not a simple "yes" or "no" question, and answering definitively can affect the security team's credibility.

The key to answering this question is to understand exactly what the board is asking and how much they already know about cybersecurity. Was a competitor recently breached? Is a worldwide ransomware attack underway? Or is the person asking the question new to the board and simply wants an update on the security posture of the organization? Understanding the context will help determine the proper metrics to deliver.

Particularly for new board members, it's important to talk about security as a journey, showing where the organization is today, where you want to go, and areas of progress. It's also important to make it clear that there is no such thing as bulletproof security.

Question 2: How do we know if we've been breached?
When asking this question, boards want to know how well prepared the organization is to face the latest big attacks, and what the impact would be if they were targeted. They are likely also wondering how the company's security program compares with peers and competitors.

This question also comes down to assurance. Boards likely know you can't guarantee 100% security, so they are seeking confidence from the CISO that they have plans in place for a fast, effective breach response. 

One way to assure the board that the security team is ready to respond is by giving an overview of the incident response plan for specific threats, including how the team has effectively responded to threats in the past and any steps being taken to reduce dwell time. We also recommend talking about the cyber insurance policy and any third-party companies that can be called for response support and remediation.

Question 3: How does our security program compare with industry peers?
Budgets and bottom lines are top of mind for board members, so they want to know if you're spending more or less on cybersecurity than peers.

One way to respond is to benchmark your security program's maturity with an industry standard, such as the NIST Cybersecurity Framework. Start by communicating how the framework was selected and why it's best for your enterprise. Then show how the program measures against this framework, highlighting your starting point and progress toward the target state. You can also compare your budget with peers, but this will take some effort because gathering comparative data isn't easy. You can try using forums, events, research firms, industry peers, or your internal marketing department. The point to stress is that spending doesn't necessarily indicate success — tools and programs must be tailored to protect the crown jewels of an organization based on the risks they face.

Question 4: Do we have enough resources for our cybersecurity program?
Board members want to know security investments are used wisely and whether the CISO really needs the resources he or she asks for. This means they first need to understand what is the "right" amount to spend on security.

The common approach in answering this question is to demonstrate how the cybersecurity program supports the organization's mission, business model, and growth goals. Determine shortfalls in tools, staff, and external partnerships by looking at the program's current maturity and associated business risk. This approach is the best bet for getting approval on funding requests. Also, show the progress you've made with current resources such as people, processes, and existing technologies. Try to establish an open dialogue about the potential ROI in program maturity improvements that additional resources would bring.

If budget and resource constraints are keeping the security team from achieving program goals, CISOs should emphasize the progress being made (or not) with existing resources, and possible solutions. For example, if it's a skills shortage issue, one solution to suggest is hiring less-experienced and therefore less-expensive candidates with a passion to learn.

Question 5: How effective is our security program, and is our investment properly aligned?
The key to answering this question is to show alignment between the security program and investment strategy. Although perfect security is impossible, security programs must constantly evolve to stay ahead of the latest threats. Reiterate current and target security states for each element of your program and show how much the team has improved. Show how supporting resources fit into the security program, where the gaps are, and what investments are needed.

As board members become more aware of cybersecurity issues and the potential threats to their organizations, CISOs must be more adept at understanding what boards need so they can address their questions clearly and confidently. Today's CISOs can succeed if they embrace a strategic vision for their program and utilize stories and metrics that support a true partnership with a shared cybersecurity vision.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

John Hellickson has more than 25 years of IT experience, the last two decades focused on security and risk management. He's served as an executive security consultant and trusted partner, providing companies with risk management strategies aligning technology, people, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
10/2/2018 | 12:30:02 PM
Doesn't Speak Technical
These are some complex questions to answer as they are not so black and white. This becomes increasingly more difficult if the board has a hard time with technical/cyber security industry based terms. Many of the tips in the article are quite helpful. The most helpful in my mind is to be able to tell a story. The isn't a silver bullet so it helps to provide context as to where are the gaps and what is the current POA to fill them.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-4531. Reason: This candidate is a duplicate of CVE-2012-4531. Notes: All CVE users should reference CVE-2012-4531 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental u...
PUBLISHED: 2020-02-17
LPAR2RRD in 3.5 and earlier allows remote attackers to execute arbitrary commands due to insufficient input sanitization of the web GUI parameters.
PUBLISHED: 2020-02-17
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.
PUBLISHED: 2020-02-17
SQL injection vulnerability in Zend Framework before 1.12.9, 2.2.x before 2.2.8, and 2.3.x before 2.3.3, when using the sqlsrv PHP extension, allows remote attackers to execute arbitrary SQL commands via a null byte.
PUBLISHED: 2020-02-17
Integer overflow in the jas_matrix_create function in JasPer allows context-dependent attackers to have unspecified impact via a crafted JPEG 2000 image, related to integer multiplication for memory allocation.