How CISOs can answer difficult questions from CEOs

A hypothetical conversation about issues such as cloud security, ransomware, phishing attacks, identity theft or data leaks can become all too real. These are the answers you should be prepared to give.

chair spotlight
Credit: Thinkstock

The CEO puts all the trust in the chief security officer to keep the company off the front page and out of danger. But as the number of attacks across the internet skyrockets, that trust has slowly eroded or at the very least is increasingly questioned.

CEOs don’t want to be caught off-guard, so they are asking pointed questions to ensure they know what security precautions are being taken. Here is a hypothetical Q&A between a CEO or board member and the CISO. Lucas Moody, vice president and CISO at Palo Alto Networks, and Dottie Schindlinger, Governance Technology Evangelist at Diligent, provided insight with these interactions.

CEO: Why are we getting more phishing attacks? And what are we doing about all these phishing attacks?

CISO: To battle this threat, prevention is our best defense. Prevention starts with technology and should incorporate the means to identify the replay of corporate credentials into the wild. Supporting this capability, we have also addressed the issue of people and process through comprehensive phishing simulation and education to prepare employees to be the first line of defense necessary to proactively protect the organization.

CEO: Should we be concerned about ransomware attacks? I get the impression our industry is not affected – at least from what I’m seeing in the news. 

CISO: Given the enormous success that cyber criminals have had with ransomware, we should expect to see a higher volume of attacks this year across every industry from healthcare to critical infrastructure, and these attacks will likely grow in sophistication. We have a comprehensive backup strategy ready to counter these attacks that are usually presented in a business context and highly personalized to the recipient.

CEO: What about the security of IoT devices while connected to our corporate networks? What is our strategy for this? 

CISO: There are more than 6 billion internet-connected devices in use worldwide – a number expected to reach nearly 21 billion by 2020. As these consumer IoT devices make their way into the office and onto corporate networks, we need to get serious about proactively addressing this major vulnerability before we open ourselves up to some real threats. As you know, the human factor is always the weakest link in any cybersecurity plan, so we need to begin setting parameters around what can connect to our corporate network and the data that is being accessed via these devices. We are leveraging security technology that is not only application and product aware, but can support in appropriately controlling these devices for them to work in the way intended.

CEO: Accidental oversharing of company confidential files in SaaS apps is quickly becoming an issue. What can we do to drive home the dangers of this?

CISO: Team productivity relies on using SaaS applications like Box, Dropbox and Google Drive, and with adoption of these services being so rampant, we have developed strategies to minimize data loss risk. By design, these applications are built to simplify the sharing of information, which means that information security organizations must be well equipped to monitor and prevent exposure to the company. Coupling workforce education with preventative and detective controls to identify risky data, limit sharing and support the monitoring of exposed confidential data are important steps. Using real-life examples to explain the consequences of oversharing files in SaaS apps is very effective to help mitigate this issue and protect ourselves from driving up the cost of doing business or introducing preventable brand damage.

CEO: Let’s talk about insider risk. It’s easy to get nightmares about this stuff. Can we ever be too prepared for this?

CISO: We have a strong and established risk management program to identify where this risk can have the most impact on the business and brand. We have the right policies in place that detail the expected behaviors and couple this with robust role-based access control that is leveraged to segment user populations with data appropriate for their roles. Equally critical is having the right technologies in place to detect abnormalities in the access of confidential data supported by strong user and role context. Finally, when an incident does happen, we have the right team equipped with the right playbooks in place, ready to take immediate disruptive action, will make a huge difference to mitigate impact.

CEO: All we hear about is cloud, cloud, cloud these days. Exciting news, but how are we preparing for this transformational shift?

CISO: We have prepared for this transformational shift in IT by developing a security strategy for cloud adoption. While this is not as simple as developing policies and standards and then pushing them out to the enterprise, we have instead come up a multi-faceted approach. First, we have implemented a sustained push for relevance to be up-to-date on the numerous unique services across categories such as computing, storage, analytics, messaging and more. Second, when dealing with elastic, programmable cloud services, the only way to address security standard gaps is via automation. Third, we have identified mechanisms to achieve high-fidelity threat prevention within the cloud.

CEO: How do we protect from identity and credential theft? There must be something we can do!

CISO: The reality is not all organizations have strong authentication and validation practices, and people regularly reuse their usernames and passwords across multiple internet properties. This creates opportunities for adversaries to distribute credential collection campaigns so they can accumulate large amounts of username and password combinations, or other information used for account setup or validation. Once stolen, they often sell that information on underground forums to threat actors who would like to use the stolen data to advance their own efforts. We have addressed this problem by orchestrating an ecosystem of strong programs and capabilities, including implementing multi-factor authentication (MFA) for exposed applications and mobile devices, as well as leveraging technology to understand when corporate credentials are at risk, such as disrupting credential replay on spoofed websites.

CEO: Cybersecurity is complex and needs creative minds to drive innovation, a problem that is exacerbated by a limited talent pool. What are we doing to ensure we as a company are building a strong employee pipeline into cybersecurity?

CISO: Relying upon the “been there, done that” mentality of continuously competing in an already heavily leveraged talent pool is negligent. Seeking out different perspectives and experiences – and allowing for thought diversity to flourish – creates an amazing environment for great thinkers to come together. We allow for thought diversity to become part of the culture. To accelerate our cybersecurity program, we have expanded the addressable talent pool to include other experiences, prioritizing those that excel at problem solving, creativity, and ability to influence and understand the human element.

CEO: Nowadays, we truly have a global presence with employees based around the world. I realize this makes the security organization’s job that much tougher. How are we managing this complexity?

CISO: The most effective strategy is to train all employees to be vigilant and to be a very strong first line of prevention. We are making it a priority to share best practices and intelligence across the organization to keep everyone informed and prepared. We’re paying attention to local customs and processes and being extra mindful to work closely with the local teams to come up with the best solutions that work for that specific location or situation. Training solutions need to be localized to ensure effectiveness, and we need to continue to recruit for thought diversity to bring together the best minds to truly solve for an increasingly complex and dynamic threat landscape.

CEO: We hear all the time about bigger threats and greater urgency. How do we get security right for our organization – and for our customers?

CISO: Proactive engagement between key stakeholders before an incident occurs will ensure that the organization is able to respond quickly and effectively to modern cyber threats. In the end, what we mean when we say that it's really important to get security right is that we must lead by example. We can't do the same old thing. We can't tell customers that they need to get to the “next-gen paradigm shifts” if we aren't doing these things ourselves. We must think prevention first, reduce the attack surface within our own environments, augment with strong detect and disrupt capabilities, and we must continue to innovate in automating security into the business.

CEO: How much cyber risk insurance coverage do we need to make sure we don’t get hacked?

CISO: We have received guidance that we should have cyber risk insurance coverages included in our D&O policies to help protect our personal liability around cybersecurity. Unfortunately, cyber risk insurance only matters AFTER you’ve been hacked, and it doesn’t absolve directors from their responsibility to adhere to the law. For example, the NY Department of Financial Services (beginning March 1, 2017) now requires all financial services firms doing business in the state of New York to have the senior officer or director certify that they are not only aware of the company’s cybersecurity practices, but that directors are responsible to ensure the practices are enforced and effective. 

It is my job to ensure that you and the board of directors are regularly briefed on the cybersecurity programs in place and the effectiveness of those programs. I will ensure that you know about any successful attempts as soon as they are detected, and provide detailed descriptions of what is being done to mitigate and remediate breaches or leaks. I am also working with insurers to make sure any requirements of the coverage are being met – such as enforcing specific communication practices, education programs, and security testing.

CEO: What are you doing to make sure we don’t have any data leaks?

CISO: Data leaks can be as damaging – if not more so – than hacks and data breaches. I am providing the board with regular updates on the full scope of the company’s cybersecurity program and its crisis communications plan. Meanwhile, part of our effort is focused on developing a set of communication policies for directors and executives, which should be voted into effect by the full board and made part of new director orientation and training. Better still, I would also like to lead the board – at least annually – through tabletop exercises on a data leak, which will help the board have a front-seat view to the way the crisis communication plan works, and their own competence at adhering to the security policies.

This story, "How CISOs can answer difficult questions from CEOs" was originally published by CSO.

NEW! Download the State of the CIO 2017 report