Five Important Questions to ask your CISO

 

Questions unlock answers. But the right questions unlock understanding.

When I was starting my company, a coach introduced me to the power of questions and how critical they are. When we work with clients, we have limited time. Asking the wrong question, or a question in the wrong way can, can waste valuable time. It also impacts our relationship as we then have to ask the same question again in a different way. It can threaten our integrity and reputation.

Take for example the question, “Are we having grandma for dinner?”

In information security, we have matured in the last several years that demands and justifies a change in the questions we ask. From leadership the old questions are stale. The answers to the old questions no longer provide value. Take for example,

“What do we use for vulnerability management?”

This question used to be an indication if the business had implemented a vulnerability management program. But today, the answer to this question provides no value in risk reduction. It is absolutely possible, and even common, to have a vulnerability management solution and not fully build it into a security process that successfully reduces risk over time.

In this article, we outline a handful of questions to equip you with powerful and valuable questions to ask your information security leadership so that you can have confidence the investment in security is successfully reducing your business risk.

 

What is our process for determining our business risk?

You’re looking for a risk process. A process that makes security intimately familiar with the business, talks to the right people, understands the right processes, and applies the system consistently, repeatedly. A system that then compares what it knows about the business to what it knows about threats, vulnerabilities, and opportunities. Then they are able to report the results clearly so that it has visibility and investment from all stakeholders.

On one end of the scale, you have someone who is stationary and self-computes risk based on what they know and what is available. They will then use this ad-hoc data to perform dynamic and ad-hoc actions. There is typically very little, to no, documentation on the risk or the process steps taken to address and reduce this risk.

On the other end of the spectrum, you will have someone who builds a process based on a proven security framework. Documents that process, gets it approved by leadership, implement key elements of that framework into security policy and executes well-articulated and deliberate processes to assess and reduce risks. This requires the engagement of business units and leaders. They will provide preliminary reports and samples for risk review before officially reporting on a regular basis.

 

What is our ‘riskiest’ data? Where does it live? What is your confidence we have identified everywhere is it?

This is a multiple part question. It can be approached in pieces but should be done linearly. Walking through what the data is, then the getting to the confidence of where it lives tends to be an answer that is a relational indicator of all business risk.

Sometimes the whole risk picture is too much to compute or digest all at once. So by taking just public enemy number one can break down a big challenge into smaller bits. This should be where the focus starts anyway.

Your goal when asking this question is to answer it yourself first, before asking. Then once your security leaders answer, compare. If they don’t match challenge their answer and press in why they came to a different conclusion as you.

There are several attributes that can influence the risk level of data.

• Classification
• Amount, total number of records
• Location (internal vs web application vs cloud)
• Secure controls applied
• Proliferation (number of locations)
• Sharing (i.e., vendor access)

What is our ‘riskiest’ user group?

If we could only perform security awareness training with a handful of employees, who would they be? Why did you choose them? What specific things do we need to train them on to significantly reduce their risk? Are there other security controls we can change that would complement this risk reduction?

If all your crown jewels are in a database, the answer should be your DBA’s. If it’s a web application, then it’s your developers. If all the end users have administrative rights to their workstations, then the answer is end users.

Your goal is to identify the greatest risk-return for the investment.

 

Over the last twelve months, what are our top two security themes? How can you determine this?

Hidden within this question, is the question, “Do you have a process to document and record events so that can be reviewed and used to learn from?”

Often times security professionals are ‘reacting’ to security events. One of the shortfalls is taking the time to document findings, investigations, weekly breach reports, and other important inputs that can drive future security strategies.

Your goal is to drive the maturity of the information security program to the point is proactive.

One of the best ways to get there to learn from past security events. To successfully do that you need to have documented the past findings, exploits, and vulnerabilities. Then focus your process, technology, and people improvements on those tope themes.

 

What is something you don’t know?

I think this is a million-dollar question. I’ve been on both sides. Remembering when I was the guy in charge of the security program, sitting in my director’s office having our regular meeting, and hoping they would not touch on something I didn’t know. Looking back, I regret having that fear. I think I was more concerned with them affirming me and all the hard work I was doing rather than being exposed as not knowing something.

The truth is no one knows it all. What we don’t know can usually be addressed with the help of leadership. They have the relationships and influence to get the right people in the room and craft the right questions and conversations.

Security folks, well actually everyone, focuses on what they do well. So if your information security analyst walks into work and can finish that vulnerability scan, or they have to ask a bunch of questions to people they don’t know to try to find out what kind of data a business unit has and how that data is used and stored, what do you think they will spend their time on?

Ask this question opens up and builds a stronger relationship between security and leadership. It provides great visibility to the unknowns and overall risk. It builds improved processes to unlock these questions and drive discovery. And I think the best thing it does it helps people grow. We grow when we’re uncomfortable.

Your goal is to discover areas that are being ignored and overlooked due to lack of understanding, lack of resource, or fear.

 

Conclusion

When I started information security consulting my coach encouraged me to allocate a minimum of twenty percent of my time to working ‘on’ the business instead of ‘in’ the business.

Looking back, I wish a business leader would have told me to do this while I was leading an information security program. By working ‘on’ the security program I would have been forced to stop working ‘in’ the program for a little time every week and evaluated the framework, communicated better, documented more, and build stronger key relationships.

Help your security leaders now by asking the right questions. Questions that build your relationship, open up trouble areas and allow you to equip and support them through relationships, resources, and business knowledge.

The right questions may not always have answers, but they will drive the maturity of your information security program.

Want help with your security program?

Asher Security can help you remove the stress and burden of addressing the on-going security threats with our Virtual CISO service.