In the first part of this series, I introduced the research on CISO board communications and metrics Kudelski Security performed in collaboration with our Client Advisory Council. The report is available in full here. As with all meaty reports, there’s a lot of content. This article seeks to cover some interesting insight that didn’t make the final cut.

In this article:

Questions CISOs Are Typically Asked by Boards

In an initial survey of our Council Members, we asked what questions CISOs are typically asked by the board. The full list of questions is listed below. We will explore some of the top questions in depth in the next section.

Top Questions CISOs Are Frequently Asked

Frequently Asked Questions Frequency Degree of Difficulty ranked 1-5; numbers below show aggregate responses)
Are we secure? How do we know? 61% 141
How do we know if we have been hacked or breached? 48% 122
Are we spending the right amount on our cybersecurity program? 39% 107
How do we compare to peers within the same industry? 48% 98
How effective is our security program? 39% 98
Is our investment in cybersecurity going towards the right priorities? 43% 97
What are the key cyber threats that influence the company’s cybersecurity risk strategy? 43% 87
How confident are you that we will be out of the news? 35% 85
Do we have cyber insurance? How much coverage do we need? 13% 82
Have we been breached? What was learned? How will breaches be prevented in the future? 35% 80
What do we consider our most valuable assets? 30% 73
How are we managing risk? What is our risk tolerance? 22% 63
Is our security program aligned with our business revenue streams? 9% 59
Where do management and our IT team disagree on cybersecurity? 9% 53

 

The broad consensus from our Council Members was that this question: “Are we secure? How do we know?” was the most challenging and frequent question that boards ask CISOs.

As with all strategies, there was not a one-size-fits-all approach, so the report offers a range of strategies that need to be evaluated and implemented based on your unique organizational profile and board requirements.

It’s worth noting that CISOs spend an average of 10-20 hours preparing their response to this question, so in the interest of saving time, it’s a useful question to consider.

Here are the five key takeaways:

  1. One Fortune 500 CISO suggests this is not a simple black or white answer as there is no such thing as 100% secure. We are always going to have more vulnerabilities, because the threats constantly change. He prefers to talk about security as a journey using a security maturity model, a framework that can be used to measure progress.
  2. It was commonly agreed that this question needs to be bridged to an industry framework. The board needs to understand that you are measuring and aligning the maturity of your company’s capabilities to what the industry norm is.
  3. Start by presenting the cybersecurity maturity model – a best practice framework for your industry (like NIST CSF, ISO etc.) you are aligned to – and show where you’re at today on that journey, ultimately according to the company’s maturity goals.
  4. Continue by presenting where you want to get to and pivot your answer to a risk management discussion by showing the level of current risk. You should be able to explain to the board if your current level is above, equal to, or below the company’s risk profile, risk tolerance, or risk acceptance levels.
  5. Next, show the board how you reduced risk of compromise to critical assets using metrics that attest to improvement trends. It is key to validate your state of security. Provide direct, fact-based answers that you can validate with metrics, such as event monitoring results or with third-party audits.

One of our Council Members, a CISO in the Computer Hardware industry said: “Always have data to back up your recommendations. Stay away from opinions”

Always have data to back up your recommendations. Stay away from opinions.

What was a particularly interesting outcome from our discussion with the CISOs on the Advisory Council was that a key metric and focus for the CISO must be the ability to respond and recover from attacks, and not just any attack, but the more targeted attacks.

This is a good way to confirm the defenses are operating well. As Pete Naumovski, VP and CISO of BCBSA, states: “In a perfect world, the absolute metric for a CISO to have is the MTTD / MTTR of a more targeted attack.” Or as Ginny Davis, CIO and CSO Technicolor, puts it: “Your ability to respond and recover is equally important to how secure you are.”

Your ability to respond and recover is equally important to how secure you are.

Five Best Practices for Better CISO Board Presentations

And while we are on presentations, here is a summary of the top-5 presentation tips from our Council Members:

  1. Keep the same format for each board presentation.
  2. Use a heatmap to demonstrate risk drivers or a spider graph to show multiple data points.
  3. Keep the message on each slide focused and leave plenty of white space.
  4. Show progress over time, including trends, outcomes, and risk reduction.
  5. Show improvements in ability to respond and recover from an attack with examples of dwell time reduction for threat actors like phishing or malware.

Read the Full Report

Read the full report and get enterprise CISOs’ perspectives, examples, meaningful metrics, and a range of strategies to prepare for challenging questions from the boardroom. Look out for Part 3 of this series for a more detailed focus on peer comparison.