{"id":3643,"date":"2025-06-23T07:01:00","date_gmt":"2025-06-23T07:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3643"},"modified":"2025-06-23T07:01:00","modified_gmt":"2025-06-23T07:01:00","slug":"10-tough-cybersecurity-questions-every-ciso-must-answer","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3643","title":{"rendered":"10 tough cybersecurity questions every CISO must answer"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

As CISOs gain stature and responsibility, the top security role only gets more demanding. In addition to having to continuously evaluate their security postures to determine what adjustments to make to adequately protect their organizations, today\u2019s CISOs must align with the business in ways that enforce key business objectives \u2014 and bring questions and tradeoffs around risk management squarely in the spotlight.<\/p>\n

To fulfill this increasingly complex remit at a time when personal liability has become a real concern, CISOs must continually assess not just their security stacks and postures, but also their teams\u2019 cultures, the state and direction of the business at large, and their position in ensuring their organizations thrive despite myriad existing and emerging risks.<\/p>\n

Here, thought leaders offer the 10 most pressing questions that security chiefs must answer as part of their ongoing security strategy and career growth plans.<\/p>\n

1. Am I a business enabler or an impediment?<\/h2>\n

The security function can have a reputation for being the \u201cdepartment of \u2018no,\u2019\u201d so CISOs should ponder whether they and their teams are living up to that name, says Sameer Ansari<\/a>, managing director and global security and privacy leader at global consulting firm Protiviti.<\/p>\n

\u201cCISOs need to ask: \u2018Am I seen as an enabler or a blocker?\u2019\u201d he adds.<\/p>\n

CISOs who find that their executive colleagues avoid them or engage them only when projects hit their later stages are likely seen as impediments to business objectives rather than enablers of business success<\/a>, Ansari explains. Similarly, CISOs who hear of initiatives through office chatter rather than as partners during planning sessions are probably seen as obstructionists, too.<\/p>\n

Those who find themselves in such circumstances can turn that around, Ansari notes.<\/p>\n

\u201cDon\u2019t just shut down ideas. Help them do what they want to do by being consultative and do it without judgment,\u201d he explains. \u201cEducate the business on the risks and let the business make the decision on how much risk it wants to take on. Or, if it\u2019s outside the organization\u2019s risk tolerance level, then say, \u2018Let\u2019s escalate this.\u2019\u201d<\/p>\n

2. How can we achieve the right security balance for our company\u2019s risk tolerance?<\/h2>\n

To play that consultative role, CISOs also need to ask and answer that question, says Vandy Hamidi<\/a>, CISO of public accounting and advisory firm BPM.<\/p>\n

\u201cMy role is to reduce risk in a way that enables the business to operate confidently while serving our clients effectively. If we lock everything down, we hurt the business, frustrate users, and lose agility. But if we under-secure, we expose the company to breaches, regulatory risk, and reputational harm,\u201d he says. \u201cTo strike the right balance, we focus on understanding how the business operates, its priorities, its challenges, and its people. That means working cross-functionally to assess not just technical exposure, but operational impact.\u201d<\/p>\n

To do so, Hamidi\u2019s team collaborates closely with business leaders and colleagues to align security with the business while ensuring client and organizational data is adequately protected. \u201cIt\u2019s not just about technical safeguards; it\u2019s about building trust, communicating risk in business terms, and making security a strategic enabler rather than a blocker,\u201d he says.<\/p>\n

John Denning<\/a>, CISO at the Financial Services Information Sharing and Analysis Center (FS-ISAC), says CISOs could also ask themselves, \u201cIs security supporting the business and protecting customers and clients at the same time?\u201d<\/p>\n

\u201cCISOs need to balance the two,\u201d he says. \u201cAs an example, we are seeing a rise in \u2018smart friction\u2019 \u2014 strategically-placed obstacles in the user experience designed to increase security and slow payment authorizations.\u201d<\/p>\n

3. What are the right metrics to present to the board?<\/h2>\n

CISOs need to demonstrate how they\u2019re enabling the business, and that means identifying how to measure their work<\/a> in ways that matter to the board<\/a>, says Jeff Pollard<\/a>, vice president and principal analyst with Forrester Research.<\/p>\n

Data around the number of systems patched, mean time to response, and mean time to remediation don\u2019t give the board any reason to think security is helping drive the business forward, he says.<\/p>\n

Instead of using those, CISOs need to find metrics that speak to security\u2019s role in supporting business objectives as well as metrics that enable better executive and board decision-making, Pollard says.<\/p>\n

4. What does cybersecurity mean to the organization?<\/h2>\n

CISOs also need to understand where the security function fits within the organization so they can ascertain whether they have the power to affect the right actions, says Paul Caron<\/a>, head of cybersecurity for the Americas at consultancy S-RM.<\/p>\n

\u201cMany times, CISOs are responsible for taking action on the risks at hand, but are they really in the seat to take on these challenges? Are they going to be supported and resourced accordingly? Do they really have exec-level support to be agents of change? These are all the questions that every CISO now especially needs to ask themselves and others,\u201d he says.<\/p>\n

In an era where \u201cCISOs are, in fact, accountable for and can be held liable<\/a> for organizations being unprepared for cyber incidents,\u201d Caron says it\u2019s imperative for CISOs to know whether they have the authority that should accompany that accountability.<\/p>\n

\u201cThey should be reevaluating their assessment of how an organization views risk management and how much of a voice they are being afforded at the decision table. These are key questions they need to be very transparent with themselves on,\u201d he says, adding that \u201ca CISO without authority<\/a> is the worst seat in the house.\u201d<\/p>\n

5. Am I effectively communicating technical risks?<\/h2>\n

CISOs should also ask themselves whether they\u2019re able to put cybersecurity risks in terms that the business understands, Protiviti\u2019s Ansari says.<\/p>\n

He has seen security chiefs too often talk about risks in technical terms, but talking to other executives about the lack of cloud container security or misconfigurations, for example, won\u2019t help them understand what\u2019s at stake.<\/p>\n

\u201cThat\u2019s going to go over everyone\u2019s head. Even today, when you more board members versed in cyber, they\u2019d still be asking, \u2018What does that really mean?\u2019\u201d Ansari says.<\/p>\n

He advises CISOs to consider whether they\u2019re really telling the security and risk stories<\/a> in ways that the business will understand; he suggests CISOs ask trusted colleagues both inside and outside the security department for feedback to help with this task.<\/p>\n

It\u2019s worth the effort, he adds, because CISOs who tell better stories are more effective in conveying the business risks, which gets them more authority, resources,<\/a> and alignment to business goals.<\/p>\n

6. Does my team feel empowered to challenge me?<\/h2>\n

No single individual \u2014 even the CISO \u2014 can make the best calls all the time, so security leaders should welcome information on where their programs are falling short.<\/p>\n

\u201cSo they have to ask themselves: Does my team feel empowered to challenge my decisions? Am I encouraging dissent?\u201d Ansari says.<\/p>\n

Ansari advises CISOs who find that their teams don\u2019t feel they can speak up to work on their workplace cultures by encouraging discussion, responding positively to challenges, and seeking opinions. Simply asking, \u201cI need other perspectives on this,\u201d can help here, Ansari adds.<\/p>\n

7. What do our customers want us to do for security?<\/h2>\n

CISOs are hearing from customers about their security priorities through the third-party security questionnaires that have proliferated in recent years, Pollard says. The questions give CISOs insights into what customers care about and what they want the CISOs\u2019 organizations to do from a security perspective.<\/p>\n

\u201cIf you understand that, you can build a business case for security,\u201d he says, explaining that CISOs can use the cost of a security control sought by certain customers and the revenue generated by those customers to calculate the value of the security work. \u201cCISOs need to map this out: How many customers ask this of us and what is the revenue they\u2019re worth?\u201d<\/p>\n

8. Where does all the organization\u2019s data really reside?<\/h2>\n

Aimee Cardwell<\/a>, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group, knows firsthand the reason for asking this question, saying, \u201cExperience has shown me in the most painful ways that data is somewhere I haven\u2019t seen.\u201d<\/p>\n

She has discovered sensitive data tucked into invoice folders and in servers and databases from old shadow projects, for example. She notes, too, that CISOs may have data in unknown locations following company acquisitions and mergers. \u201cAnd then you layer AI into that, and you may be leaking data you don\u2019t even know about it,\u201d she adds.<\/p>\n

Brian M. Gant<\/a>, associate dean of technology and assistant professor of cybersecurity at the John E. Simon School of Business at Maryville University, says CISOs need to continuously ask, \u201cWhere is the organization\u2019s most valuable data and how are we protecting it?\u201d and \u201cWhere are the keys to the kingdom?\u201d to help them tackle this issue and ensure they\u2019re adequately protecting sensitive data.<\/p>\n

Nick Kramer<\/a>, principal of applied solutions at global consulting firm SSA & Co., also advises CISOs to ask whether they have the needed insight into where the organization\u2019s unstructured data resides and whether the data is appropriately protected. For example, he advises CISOs to get their organizations away from emailing attachments and instead sending links to documents housed in secure locations, getting files off worker devices and into those same secure locations, and implementing encryption.<\/p>\n

9. How will AI impact my staffing?<\/strong><\/h2>\n

In recent years CISOs have trained their security teams to support the secure use of AI by business teams. Now they need to adjust their own staffing strategies as AI becomes an increasingly prominent tool within the security department. \u201cThey need to be exploring, What is the impact of AI on my staffing? How is my organization going to be different?\u201d Pollard says.<\/p>\n

He says CISOs must consider how their team members will work alongside AI agents<\/a> and whether they\u2019re ready to effectively do so. And they should consider how staffing in the security operations center will change. For example, Pollard says AI will likely reduce the need for entry-level workers but may mean more level 2 analysts. That requires CISOs to think about how they recruit and train those senior analysts if fewer will be coming from level 1 SOC analyst positions<\/a>.<\/p>\n

10. What\u2019s the next attack that could surprise me?<\/h2>\n

\u201cWhat\u2019s the next vulnerability or the next threat?\u201d That, SSA\u2019s Kramer says, is a key question to ask and answer.<\/p>\n

CISOs, of course, have long been worried about zero-day exploits. They must continue to do so. But they also need to consider how their evolving attack surface and the growing sophistication of attackers can create holes in their security plans nearly instantaneously.<\/p>\n

\u201cMy biggest fears are always what I don\u2019t know, where am I going to be surprised,\u201d says Cardwell, the Transcend CISO in residence.<\/p>\n

To allay such fears, Maryville University\u2019s Gant advises CISOs to ask \u201cWhat is my attack surface?\u201d and \u201cWho is after me and why?\u201d and use the answers to devise appropriate plans for safeguarding data and systems.<\/p>\n

Another question to ask, according to FS-ISAC\u2019s Denning is this: Do I have a defensive technology stack that is fit for purpose while aimed toward the future?<\/p>\n

\u201cPowerful new tools are arming bad actors to commit more effective fraud, ransomware, and DDoS attacks, among other threats,\u201d he adds. \u201cCISOs need to assess whether they have the right tools and talent to combat these threats and address emerging ones.\u201d<\/p>\n

For example, Denning says CISOs should be inventorying their cryptographic assets to prepare for the day when quantum changes all their plans<\/a>.<\/p>\n

Kramer says CISOs need to do more to get ahead of the future. He recommends CISOs appoint staff members to look around the corner, just as CTOs typically have people to study emerging technologies.<\/p>\n

\u201cCISOs are looking ahead, but too often they\u2019re waiting until other people figure it out and tell them what to do, and that means the fixes are [determined] because of some successful attacks,\u201d Kramer says. \u201cBut nowadays you have to have a view of experimentation and really trying to figure out what\u2019s next, perhaps using simulation tools to find new attack surfaces.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

As CISOs gain stature and responsibility, the top security role only gets more demanding. In addition to having to continuously evaluate their security postures to determine what adjustments to make to adequately protect their organizations, today\u2019s CISOs must align with the business in ways that enforce key business objectives \u2014 and bring questions and tradeoffs […]<\/p>\n","protected":false},"author":0,"featured_media":3644,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3643","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3643"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3643"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3643\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3644"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}