Five Questions Every Board Should Ask Their CISO

This article first appeared in Directors and Boards

Not all board members have cybersecurity expertise, but all can play a vital role in protecting their company’s sensitive information. It comes down to asking the right cybersecurity questions of the company’s chief information security officer (CISO), including questions on risk frameworks, threat actor profiles and appetite for customer friction.

The Role of CISOs

CISOs occupy a unique position within most companies since cybersecurity deals with motivated attackers who actively attempt to circumvent controls. Other forms of risk, such as a fire in a facility or a disruption in the supply chain, tend to be random. With motivated attackers, every vulnerability will eventually be found and exploited. The result is that some CISOs try to prevent all exploits, a mission that is both doomed to fail and potentially harmful to the business.

Boards (along with their CEOs) should communicate a different message to CISOs:

"First, we understand that it’s not feasible to eliminate all risks, and we don’t want to try. Instead, we want to manage risks intelligently and accept that there will be outlier events that we need to react to and recover from. The more likely the probability and more extreme the impact, the more the event needs to be mitigated. As long as risks are managed wisely, we won’t ‘shoot the messenger’ when told that an event has occurred.

“Part of managing risk wisely involves a cost-benefit analysis. Costs are not just economic – any friction added to the business or customer experience must be considered against the effectiveness of a control. The more a control negatively impacts users, the less valuable it is. This requires reducing the security benefit based on the friction created. And friction should be measured quantitatively so we can make a decision on the benefit of the control versus the impediment it creates for users."

Most cybersecurity leaders are measured on the strength of their controls, but few are incented to minimize impact to legitimate users. Every CISO should be.

With messaging established, boards can move on to governance. There are five questions every board should ask about their CISO’s strategy. Get these five right and your company will be ahead of the pack.

What frameworks do we use to manage risk, and how do we benchmark ourselves using these frameworks?

There is no shortage of security frameworks: ISO 27000 and COBIT focus on controls, CVE/CVSS scoring focuses on vulnerability measurement and ATT&CK zeroes in on threats. The value of these frameworks, when properly used, is that they provide a common language to describe risk and identify control gaps. Some frameworks also allow measurement of uncontrolled risk; these are especially useful to determine whether risks, over time, are increasing or decreasing, and to benchmark current state against others.

What types of threat actors are interested in attacking us, what are they motivated to do and how do we defend ourselves against their specific techniques?

It’s important to recognize that different types of attackers have different motives, which results in the use of different methods. Corporations and their boards must remember that the weapons they are defending against may not be the ones bad actors are planning to use. Put another way: There is little value in being able to block a punch if your attacker has a crossbow. Threat actors with financial motivations tend to broadly use ransomware, fraudulent invoicing and compromise accounts at financial institutions. Attackers trying to draw attention to a cause seek to disrupt businesses in a way that may be highly visible and potentially damaging to corporate reputation. Most nation-states preparing for cyber war try to silently embed themselves in critical infrastructure. Businesses should make basic assumptions on the type of attackers whose motives best align with them as a target and understand the methods they would likely use. Then, plan defenses against those specific techniques.

How much friction do we add to the customer and user experience?

This question is designed to encourage CISOs to think about the impact of their controls on legitimate users, including suppliers, vendors, partners and customers. It’s far easier to have great security if you are willing to create business impediments and customer friction, such as constantly challenging users to prove their identity or prohibiting the use of customer-friendly communication channels. At the same time, companies can fall behind competitors that don’t make life hard for customers. Inquiring about friction from the perspective of customers and other users forces security teams to ask themselves, “What friction are we creating?” They might not like the answer.

How do we discover sensitive data, and how do we protect it?

It’s hard to protect sensitive data if you don’t know where it is. Over time, controls intended to prevent data from being mishandled will have misses. It’s easy to copy and save data in the wrong place, new fields will be added to spreadsheets and databases that change their sensitivity, and people will forget to follow processes. The result is your most sensitive data will spread to less secure desktops, laptops and cloud storage. Combating this requires continuous scanning to discover sensitive data where it shouldn’t be, and then to take corrective action.

Do you have the resources you need to be successful?

This question may sound obvious, but it needs to be asked. Sometimes a CISO’s budget allocation isn’t sufficient to manage risks properly. This is particularly true when organizations suffer from “recency bias,” the belief that if they haven’t had a recent breach, there isn’t a need to invest in new controls. Motivated attackers are constantly evolving their techniques. That means there is no sitting still when it comes to cybersecurity. CISOs must continually improve the company’s defenses to keep up with attackers.