are becoming more informed and more
prepared to challenge the effectiveness
of their companies’ programmes.”
Most board questions can be
categorised into five areas.
1. THE TRADE-OFF QUESTION:
1. 1. WHAT
THE TRADE-OFF
IT SOUNDS QUESTION:
LIKE: ARE WE
WHAT
IT
SOUNDS ARE
LIKE:
ARE SURE?
WE
100% SECURE?
YOU
100% SECURE? ARE YOU SURE?
Why it’s asked: Questions like this are
often asked by board members who
don’t truly understand security and the
impact to the business. It’s impossible
to be 100% secure or protected. The
64
CISO’s role is to identify the highest-
risk areas and allocate finite resources
towards managing them based on
business appetite.
How to respond: Begin with something
like: “Considering the ever-evolving
nature of the threat landscape, it’s
impossible to eliminate all sources
of information risk. My role is to
implement controls to manage the risk.
As our business grows, we have to
continually reassess how much risk
is appropriate. Our goal is to build a
sustainable programme that balances
the need to protect against the need to
run our business.”
2. THE LANDSCAPE QUESTION
2. THE LANDSCAPE QUESTION
What it sounds like: How bad is it
out there? What about what happened
at X company? How are we compared
to others?
Why it’s asked: Board members will
come across threat reports, articles,
blogs and regulatory pressure to
understand risks.
They will always ask about what others are
doing, especially peer organisations. They
want to know what the ‘weather’ looks like
and how they compare to others.
Issue 18
|
www.intelligentciso.com