6 Questions Every CISO Must Answer
The Protection Problem Space vs. The Security Problem Space
posted by Douglas Ferguson on September 23, 2018
Reading time: 3 min
When a corporate Board
invests in security, they expect results. Usually, this means, “Keep us from
having a headline making breach.” The
threat landscape, the implications for the firm’s risk profile and the options
available to mitigate risk are not well understood.
In fact, according to
CSO Magazine, “Because cybersecurity issues are complex and technical, it is
common for directors to express anxiety regarding whether the board has
sufficient expertise and is informed enough to serve its risk oversight
function in this area.”
anxiety can lead to
bad decision making, for example, “more than half of boards delegate
responsibility for overseeing cybersecurity risk oversight solely to a
compliance or audit committee,” according to CSO. A focus on compliance is not
the same as focusing on managing corporate-wide risk. The Board understands
what they want, but they don’t have a firm grasp on what they need.
if they could be
presented with information about cyber security in a familiar format, with
familiar terms, like the CEO gets from all of their direct reports? Whether
it’s the head of marketing, sales, engineering or business development, the
conversations are grounded in data. They weigh investments versus expected
if the Board have
not explicitly asked for it…
themselves, don’t realize it…
is what they hired
the CISO to deliver.
is what the CISO is
accountable to prove.
result they need –
above all else – are:
of protection from
of ideal risk
cost options to achieve the
the CISO, it’s been
a struggle to find ways to answer these questions.
results in a BIG
consequences in failing to bridge the BIG GAP.
the Board wants:
Protection from unacceptable business impacts, they must challenge the CISO’s strategy if the CISO
can’t define and repeatably prove progress to that goal.
Determination of ideal risk appetite, they must hold the CISO accountable if the CISO can’t show
evidence that stands up to scrutiny.
To spend to get the greatest return, they must challenge the security budget if the CISO can’t
maximum value from current and planned investment.
above are day-to-day
challenges that can lead to the CISO becoming the ‘fall guy’. This doesn’t
necessarily need to be because of a public security breach, it can occur by
simply being perceived as ineffectual by business leadership.
makes the life of
the CISO rather challenging, frustrating, and unrewarding.
To bridge this gap, a CISO needs to answer these questions in terms the business, not just security people,
can understand and leverage.
What are you trying to protect, and why?
What level of protection do you have?
level of protection is
justified and defensible?
you have the plan to show how to
achieve this cost effectively?
you show that what you have achieved
was done cost effectively?
you show that protection
results are to plan?
A quick introduction to why this BIG GAP exists.
Space is about results – and the goals, strategy and business plan to achieve
Space is about execution and assurance – and the integrated operational plan to
is a fundamental
difference between the mindsets.
6 questions are a
foundation to bridge this gap and articulate, in a common language and
understanding, the conversion of investment into actions into results and
linking operational plans to business plans to achieve those results.
important to point
out that not even fully ‘integrated’ security programs, in the world’s largest
organizations, with massive budgets come close to bridging this gap.
not need to know how or what security does – they need to make ‘opportunity
cost’ decisions. How much impact mitigation can you give me for $x? Is there a
point of diminishing return? What does this investment curve look like? Is
there a sweet spot? Can it be defensible to stop trying to protect against some
if they want to
invest, can security deliver the robust evidence of results that business leadership
can leverage in their interactions with their challengers.
we will continue to deconstruct this problem and will dive into many facets of
how a CISO can help answer these questions in a pragmatic and objective way.