6 Questions Every CISO Must Answer

The Protection Problem Space vs. The Security Problem Space

posted by Douglas Ferguson on September 23, 2018
Reading time: 3 min




When a corporate Board invests in security, they expect results. Usually, this means, “Keep us from having a headline making breach.” The threat landscape, the implications for the firm’s risk profile and the options available to mitigate risk are not well understood.

In fact, according to CSO Magazine, “Because cybersecurity issues are complex and technical, it is common for directors to express anxiety regarding whether the board has sufficient expertise and is informed enough to serve its risk oversight function in this area.”

That anxiety can lead to bad decision making, for example, “more than half of boards delegate responsibility for overseeing cybersecurity risk oversight solely to a compliance or audit committee,” according to CSO. A focus on compliance is not the same as focusing on managing corporate-wide risk. The Board understands what they want, but they don’t have a firm grasp on what they need.

What if they could be presented with information about cyber security in a familiar format, with familiar terms, like the CEO gets from all of their direct reports? Whether it’s the head of marketing, sales, engineering or business development, the conversations are grounded in data. They weigh investments versus expected returns.

Even if the Board have not explicitly asked for it…
Even if they, themselves, don’t realize it…

This is what they hired the CISO to deliver.
This is what the CISO is accountable to prove.

The result they need – above all else – are:
  1. Proof of protection from unacceptable impacts
  2. Determination of ideal risk appetite
  3. Best cost options to achieve the above

For the CISO, it’s been a struggle to find ways to answer these questions.

This results in a BIG GAP.

Security Board Report

The CISO faces consequences in failing to bridge the BIG GAP.

Because the Board wants:
  1. Protection from unacceptable business impacts, they must challenge the CISO’s strategy if the CISO can’t define and repeatably prove progress to that goal.
  2. Determination of ideal risk appetite, they must hold the CISO accountable if the CISO can’t show them evidence that stands up to scrutiny.
  3. To spend to get the greatest return, they must challenge the security budget if the CISO can’t prove maximum value from current and planned investment.

The above are day-to-day challenges that can lead to the CISO becoming the ‘fall guy’. This doesn’t necessarily need to be because of a public security breach, it can occur by simply being perceived as ineffectual by business leadership.

This makes the life of the CISO rather challenging, frustrating, and unrewarding.

To bridge this gap, a CISO needs to answer these questions in terms the business, not just security people, can understand and leverage.
  1. What are you trying to protect, and why?
  2. What level of protection do you have?
  3. What level of protection is justified and defensible?
  4. Do you have the plan to show how to achieve this cost effectively?
  5. Can you show that what you have achieved was done cost effectively?
  6. Can you show that protection results are to plan?

A quick introduction to why this BIG GAP exists.

The Protection Problem Space is about results – and the goals, strategy and business plan to achieve them.

The Security Problem Space is about execution and assurance – and the integrated operational plan to orchestrate it.

There is a fundamental difference between the mindsets.

The 6 questions are a foundation to bridge this gap and articulate, in a common language and understanding, the conversion of investment into actions into results and linking operational plans to business plans to achieve those results.

It’s important to point out that not even fully ‘integrated’ security programs, in the world’s largest organizations, with massive budgets come close to bridging this gap.

Business leadership do not need to know how or what security does – they need to make ‘opportunity cost’ decisions. How much impact mitigation can you give me for $x? Is there a point of diminishing return? What does this investment curve look like? Is there a sweet spot? Can it be defensible to stop trying to protect against some threats?

Even if they want to invest, can security deliver the robust evidence of results that business leadership can leverage in their interactions with their challengers.

In upcoming posts, we will continue to deconstruct this problem and will dive into many facets of how a CISO can help answer these questions in a pragmatic and objective way.