The three questions all CISOs should be prepared to answer (Part One)

I love being a Chief Information Security Officer (CISO). No other job that I know of provides the challenges that come from balancing an ever changing mix of legal, regulatory, technology, and business needs, with geopolitics and international threats mixed in as well. However, when it comes to presenting what you do and how well you are doing to the senior leaders of your company, the job ultimately boils down to answering three questions, the first of which is:

Are we secure?
The first question any board or business leader is likely going to want the answer to is the innocuously simple question of "Are we secure?" Before you can answer that however, you have to understand what "secure" means in your business and industry. Any discussion of security involves (or  at least should) a review of the assets, threats, and requirements that are unique to your company. Without first understanding what information and business processes are vital to your business and industry, you are in no position to respond.

Security is not a binary state of being - you are secure or you are not, but rather it is a scale from less secure to more secure in response to various threats. Even with the highest investments in security there are no absolutes. If the world's largest security vendors, corporations, and intelligence agencies have been shown to experience breaches, don't expect that your security program will be the foolproof exception.

In preparing to answer this question then, you should think and be prepared to respond not in absolutes but rather in terms of relative risk. "We are secure against the most likely threats to our assets and in line with the expectations of our industry and customers" is a reasonable answer, assuming you have the data to back up your response. Reviewing the reasoning behind this response with leadership provides the opportunity to understand your business's risk tolerance when it comes to information security and how your security plan should be structured to meet that risk expectation.

Business leaders ultimately own the decision on risk tolerance, since they provide the funding required to make it a reality. Your job as CISO is to frame the discussion so that they can understand the alternatives and make intelligent choices based on your guidance as to what is a reasonable level of risk for their business.

Coming up in part two we will address the question, “Are we compliant?”

Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here. 

This piece was originally posted on LinkedIn Pulse and is reposted here with the permission of Michael Lines.