Top 5 Questions every CEO must ask their IT team

CEOs and company executives are ultimately accountable for safeguarding their organization’s long-term security, which helps mitigate cyber risks. As executives become more aware of risk and security management, they ask increasingly nuanced and complicated leaders questions. At the board level, interest in security and risk management (SRM) is at an all-time high. In Gartner’s security and risk survey in 2019, four out of five respondents stated that security risk influences board decisions.

The Gartner research assists security and risk management leaders analyze five types of questions that they should be prepared to answer at any executive or board-level meeting. Here are those questions.

The Trade-Off Question
The Landscape Question
The Risk Question
The Performance Question
The Incident Question
Decipher Complex Board Questions

Get Free IT Audit

Let’s discuss each of these in detail.

1. The Trade-Off Question_ Are we 100% secure?

The trade-off question is that the security and management risk leaders struggle greatly. The question “Are we secure?” needs improvising and is generally asked by the executives who are uneducated and unaware of the impact of security risks on the business. It is impossible to prohibit 100% of the incidents in this scenario. The CISO’s responsibility is to help identify and evaluate the potential risks for an organization and allocate resources to manage them.

According to Gartner’s report, a security and risk management leader, in response to this question, might say, “It is impossible to remove all resources of the information risk considering the evolving nature of the cyber threat landscape. My responsibility is to work with other aspects of the business to execute controls for managing security risks that can prevent us from improving operational efficiency and brand image. There is no such thing as ‘perfect protection’ in security. We have to reassess continually how much risk is appropriate as the business grows. We aim to develop a sustainable program to balance the requirements to protect against the needs to run a business”.

2. The Landscape Question_ How bad is it out there?

Most executives want to know their security compared to peer organizations. They read threat reports and blogs, listen to the broadcast, and even are forced by the regulation to understand such things. Gartner recognizes the need to discuss this landscape. Leaders need to avoid trying to quantify risks and attach specific budget figures to the mitigation cost depending on something external. Moreover, when benchmarks give some material for conversation, they must be a negligible factor in the decision-making process.

Here are some responses that security and risk management leaders can give while discussing the broader security landscape.

External Events	Responses
Our primary competitor experienced a public, successful attack.	We have a similar vulnerability that can facilitate the attack, addressing that weakness. Enhanced monitoring abilities have been implemented.
There are more attacks against the electricity grids in three national presence points.	We don’t expect to become a direct target. Business continuity plans are being tested and updated to overcome the prolonged outage.
We fall under the scope of the new EU General Data Protection requirements.	We have conservative and cautious privacy practices in place.

3. The Risk Question_ Do we know what our risks are?

A risk outside the tolerance needs an antidote to bring it within tolerance. It does not require dramatic changes in a short time, so beware of overreacting. The Gartner report presents a way to defend the risk management decision, and you can change it according to your organization’s risk tolerance.

One of the most common issues encountered in the report is that the evaluations are subjective and depend on flawed methodology. Security leaders must have evidence to support the evaluation, even when they are not called to present it. Another aspect that needs to be considered is whether to depict the typical outcome or the worst. For instance, most incidents in favorable outcomes are within the ability of most companies to absorb. However, there is an infrequent incident that can result in a catastrophic effect.

4. The Performance Question_ Are we appropriately allocating resources?

Security is always a moving target. The security team must demonstrate their behavior to ensure the organization stays safe. It is essential to figure out if the resources are allocated appropriately and where the money is spent. The original strategy proposal should have margins for errors concerning the deadline and the budget. As far as there are overruns within these margins, they must be noncontroversial.

There may be valid reasons even if the overruns are outside the margins. The balanced scorecard approach is a way to understand how security contributes to business performance. In this approach, the top layer defines the business aspiration, and organization performance against those aspirations is expressed using a traffic light mechanism. However, it’s not the only way. Some organizations have different types of dashboards to discuss business performance.

5. The Incident Question_ How did this happen?

An incident is unavoidable, and treatment is a blessing in disguise. Security and risk management leaders should be aware that incident details may have been tightly controlled (such as sensitivities associated with the incident). Using the fact-based approach and explaining your knowledge will eliminate the mystery and give confidence that you have control over the incident. Acknowledging the incident provides details on the business impact, outlines the flaws or gaps needed to work out, and offers a mitigation plan.

Decipher Complex Board Question

There are usually no deterministic answers to the board question, and responses are generally more about showing options for sponsorship instead of a definitive course of action. The options can vary based on the context of the discussion, the board’s maturity, the SRM leader’s communication skills, and reporting frequency. However, understanding and answering board questions require everyone to understand their roles. Therefore, the SRM leader should know that the board is interested in facilitating the business goal. Any query that may seem immature, ignorant, or complicated has a purpose. Here’s why every executive should understand the basics of cybersecurity.

As we move further into this Digital Age, it’s important for security and risk management leaders to be at the forefront of protection. Unfortunately, there will always be new threats that emerge and risks to manage. However, there are a variety of technologies and strategies that can help reduce the number of incidents and their severity. These include: reviewing third-party vendors, dual-authorization systems, unstructured data protectors, and big data analytics. As long as companies take a proactive approach to their cybersecurity efforts, they will be prepared when potential threats arise, making the job of SRMs much easier.

Ultimately, the complexity of risk management systems makes it impractical for organizations of every size to create their own. Instead, a renowned solution like Protected Harbor is needed. One that can provide the solutions necessary to resolve your company’s unique needs, with a broad suite of capabilities and an intuitive platform that provides users with the tools needed to respond effectively when crises strike. Because we understand your business and what executives desire, we’ve been assisting several executives with their day-to-day operations. Contact us today for a free IT and cybersecurity audit, take charge of your future, and be cybersecured.