The 3 Big Questions CISOs Ask Themselves

I recently had the pleasure of meeting with several CISOs and cybersecurity leaders across multiple verticals at the Innovate Cybersecurity Summit in Nashville, Tennessee. The variety of experiences each possessed, coupled with the myriad of initiatives they were leading, was enough for numerous books to be written.

After leaving the event, I noticed that the questions asked were similar to those of other leaders I’ve met in my security solutions consulting career. Tenured and knowledgeable leaders are focused on strategic challenges because they know it directs tactical exercises. Correctly answering these questions positions CISOs to direct their teams effectively. I took the various questions I noted and categorized them into three challenges. 

The 3 Big “How Can I…”

1. How can I more impactfully partner with other business leaders to secure our company?

CISOs want their companies to succeed like their leadership peers in sales, marketing, research, and more. The difference is that CISOs want the company to be successful securely. Security leaders know it’s not a win if the new product is launched, but the source code is leaked a day later. With cybersecurity efforts often mislabeled as a hindrance, CISOs seek ways for all business units to align with security strategies to meet business expectations. Unfortunately, CISOs are inundated with disparate security tools, increased regulations, and more complex terminology, making discussing security with non-security leaders daunting.

2. How can I more effectively communicate with Board members and executive leadership to show how our cyber risks have changed?

It was interesting to see that the second challenge is related to the first. Both challenges involve gathering relevant data and articulating findings. The first challenge is collaborating horizontally, the second involves collaborating vertically. The Board of Directors, investors, and executive leadership depend on CISOs to explain cyber risk and summarize risk reduction efforts. 

One CISO I spoke with said their CEO began each meeting by asking, “What’s keeping you awake at night?” In other words, which cyber threats pose the most significant risk, why would you quantify them as the greatest, and what are we doing about it? And importantly, how can a CISO answer those questions if their teams use 40 disparate security tools that score risk differently?

3. How can I ensure my teams are prioritizing risks correctly?

The cybersecurity industry has inadvertently diluted defense-in-depth and turned it into never-ending checklists. Security leaders have a list of areas to protect (email, endpoints, cloud, etc.), a list of controls to enable (auto-updates, port closures, authentication checks, etc.), and a list of frameworks to utilize (NIST, MITRE, CIS, etc.). This makes managing exposures and reducing risks a game of Whack-A-Mole and Keep-Away. 

Both approaches are reactive, but effective cybersecurity is proactive. Security leaders need help knowing which exposure to tackle and which entities to fix. This becomes even more challenging when they realize some entities can’t be patched because it would break production flow or an update to the OS would make the production application cease to work. What can be done when you can’t update?

Summary

Threat Actors continue to leverage multiple exposures, treat hybrid and multi-cloud environments as one attack surface, and compromise what is needed to attain what is valued. Above all, attackers leverage the freedom of multiple paths, while defenders often struggle with a checklist of boxes for each of their environments. CISOs need a holistic solution built to highlight potential attack paths and reveal actual mitigation. They also need a long vacation.

Unfortunately, I can’t help with the long vacation. I’ll also admit that I don’t have the answer to every question. The constant rule of cybersecurity is that it is ever-changing, and there will always be a new risk, a more capable adversary, and a recently identified exposure. The right tools enable CISOs and security leaders to understand risk in the context of their organization’s critical assets. 

Security teams need to see where attackers could move and how they could take the next step to critical assets. XM Cyber’s Continuous Exposure Management solution reveals the most impactful risks, highlights an adversary’s attack path, and articulates what should be fixed on which entities. This, along with the Continuous Threat Exposure Management framework, positions CISOs to work with business leaders, communicate cyber risk to the Board, and efficiently lead their teams to success.

I’m thankful for leaders who ask the hard questions so that security vendors can help provide the right answers.