As CISOs know, an effective security program cannot be static. Rather, it must adapt to the evolving threat landscape and an ever-changing business environment.
To adapt and improve, CISOs must continuously evaluate their existing program. That starts with asking tough questions about their performance, investments, and strategies.
Here, security leaders share 15 questions every CISO should ask to ensure their programs can meet current demands and future needs.
1. What issue or incident has my security program addressed that would otherwise have hindered the business?
Roland Palmer, CISO and vice president of security at tech company JumpCloud, says he regularly asks himself this question because it forces him to identify and communicate what security efforts avert a negative impact to the business.
“This is about us trying to demonstrate ROI and articulating it,” he says. “It frames how I think about my role and where I should be targeting the media blitz [to inform] the business about what we do that demonstrates the value of security.”
2. How are we protecting our organization’s most important business processes?
This question pushes CISOs to put business resilience front and center, a focus that helps ensure security programs are aligned with business needs.
“Many organizations still take a broad, defensive approach rather than focusing their cyber strategy around critical processes. In an AI-enabled threat environment, the challenge is less about identifying every vulnerability and more about protecting critical processes and ensuring resilience when incidents occur. This is also increasingly reinforced by regulation,” says Richard Watson, global cybersecurity leader with professional services firm EY, noting the EU’s DORA, for example.
3. Do we know the actual business impact of critical service availability?
In addition to knowing which processes are critical to the organization, CISOs need to understand the true impact of a successful attack on those processes. Such knowledge helps align their security strategy and articulate the value of their security investments to the C-suite colleagues.
“Understanding which systems generate revenue, support customers, fulfill regulatory obligations, or enable critical operations helps organizations prioritize security investments where they matter most,” says Dale Hoak, CISO at software firm RegScale. “Business impact analyses should be reviewed regularly and updated whenever significant organizational changes occur.”
Similarly, Sean Murphy, senior vice president and CISO at BECU, the nation’s fifth-largest credit union, asks, “What are the security things that will shut down the business?” He says this question helps security align and prioritize its work to business risk, which ensures business reliance not just IT resilience.
4. If we were breached tomorrow, how quickly would we know?
Mean time to detect, as well as mean time to respond and mean time to contain, remain critical metrics for measuring the effectiveness of security programs, as a low MTTD generally correlates to a smaller blast radius and less impact to the business.
That’s what makes asking this question critical, Hoak says.
“The reality is that every organization should assume an attacker will eventually gain access somewhere within the environment. The more important question becomes how quickly security teams can detect malicious activity, understand the scope, and respond effectively,” he says. “This question should be evaluated continuously through monitoring, tabletop exercises, purple team exercises, and incident response testing.”
5. Are we operating at machine speed or human speed?
According to Watson, CISOs should be wondering about their department’s overall speed and whether it’s as fast as needed.
“Today’s cyber and IT operating models, governance processes, and controls were built for a slower threat landscape. As AI accelerates both attack and defense capabilities, organizations need to assess whether they are keeping pace or whether gaps are emerging as threat actors increasingly use advanced automation and AI,” he says.
6. What don’t we know?
This is a question that Murphy regularly puts to his security team to help them prepare for whatever is out there.
“We have to think about where we don’t have visibility, where are our blind spots, what we don’t know but need to know, whether it’s around people, process, or technology,” he says. “It’s an uncomfortable conversation, but we have to think about where the gaps might be. We have to think about where we may have new exposure.”
Murphy and his team use threat intelligence and information from colleagues, peer groups, industry associations, and its own security systems “to understand what we’re seeing. It’s a lot of ingestion of information that’s available. And it’s about being curious and critical, and questioning and not assuming. I’m trying to see around corners.”
7. Which third parties could significantly impact our operations if compromised?
“Recent attacks have demonstrated that compromising one trusted supplier can create downstream risk across thousands of organizations,” Hoak says. “Many companies have stronger visibility into their own environments than they do into the organizations they depend upon.”
So CISOs must be continuously asking this, he adds, “because vendor relationships, software dependencies, and threat landscapes constantly evolve.”
8. How buttoned up is our IAM program for both human and nonhuman identities?
Identity and access management (IAM) has become a central component of modern security programs. So it’s essential, Palmer says, for CISOs to know exactly how many human and nonhuman identities operate within their organizations and whether their access is restricted to just the appropriate use cases.
“This has become an everyday question. I’d go farther and say it’s now an every-hour question,” Palmer says, noting that the proliferation of AI use, shadow AI, and AI agents means the number of identities and their access rights are constantly changing.
9. How are we securing our nonhuman identities?
On another AI-related note, Watson says CISOs everywhere need to ask whether they have adequate security for their nonhuman assets.
“Nonhuman identities are an emerging frontier of cyber risk, and many traditional identity governance tools have not yet evolved to address them. As organizations adopt more automated and agent-driven processes, managing access and privileges across these identities becomes increasingly important,” he says.
10. Do we know where AI is being used, what data is being shared, and who is accountable for those decisions?
As Doug Kersten, CISO at software maker Appfire, observes, “Many employees are adopting AI tools on their own to solve real business problems before leadership even knows those tools exist, creating unidentified security risks. That creates the same kind of visibility and accountability issues we saw for years with shadow IT; [it’s] just happening much faster.”
To ensure they can answer “yes” to those questions, CISOs need governance processes that keep pace with quickly evolving technology and that involve legal, procurement, HR, engineering, and business teams as well as security, he says.
11. Is my application security program built for a world where everyone is a coder?
AI has made application development accessibility to everyone in the organization, so CISOs need to consider whether their security programs have the right controls for this new reality.
“CISOs have to figure out the guardrails [for the organization] to do vibe coding in a secure way, and those guardrails have to match the speed of vibe coding,” says Nico Waisman, CISO at security tech company XBOW.
12. Are we ready for the expanding attack surface that vibe coding is creating?
Similarly, Waisman says he and other CISOs have to ponder whether their security programs are capable of safeguarding the expanding attack surface and technical debt that vide coding is creating.
“If anyone can generate their own product, we’re going to have applications popping up all over the network and the environment. That means [the organization likely] is generating technical debt, because people love to build software but no one loves to maintain software. And if no one is maintaining it, then it could have vulnerabilities that no one is monitoring or fixing. It may end up with only security caring for it,” Waisman says.
To avoid such a scenario, CISOs must be diligent about inventorying assets and assigning ownership to every application, he says.
13. What are we doing to prepare for a world where hackers have Mythos?
Claude Mythos is a frontier AI model from Anthropic that can autonomously find and exploit software vulnerabilities. In hackers’ hands, this would drastically shrink even further the speed at which attacks can be built and launched.
“The speed and scale are different now,” Waisman says. “Anthropic and OpenAI models have opened the doors for a scale of attacks that we have never seen before. So CISOs have to think about how that will affect their security posture and how they’ll be defending against attacks as the scale and speed change even more.”
14. Am I confident enough to share our real-time security posture if a customer asked for it?
JumpCloud’s Palmer puts himself and his security team to the test by regularly asking whether he’d be comfortable sharing a real-time snapshot of his security program.
“Am I comfortable with our patch management, our vulnerability management, and with our customers seeing those stats? Am I comfortable with customers looking behind the curtain?” he asks.
Palmer says such questions help him assess whether his security program is where it should be. He says he can answer “yes” to those questions most of the time, but he admits that sometimes he answers “no.” And while a “no” from time to time is expected, Palmer says if there are two or more a quarter, he knows he must focus on righting the security team’s efforts to get him back to more affirmative responses.
15. Are we securing the business we have today and the business we’ll have a year from now?
Given the speed of technology advancements, changes in the threat landscape, and business strategy, RegScale’s Hoak knows he must have his eyes on the horizon and a plan to meet it head-on.
“Security programs often lag behind business growth and transformation initiatives. Organizations are rapidly adopting AI, modernizing applications, expanding cloud environments, and integrating new third-party services. If security strategies are only focused on current-state risks, they quickly become outdated,” he explains.
So he actively asks himself whether he’s prepared for the future, noting that “this question should be revisited whenever strategic business plans, acquisitions, major technology initiatives, or new market opportunities emerge.”
No Responses