Ultimately, CEOs are responsible for every bad thing that happens to the company, but they’re not experts on everything. They depend on the experts who report to them.
One of these is the CISO. What should the CEO ask the CISO to ensure the company’s interests are being served and served best under their constraints? How about at budget time? What should the CEO ask the CISO to get meaningful answers he/she/they can understand and relate to the Board?
This isn’t just an academic question. Security incidents are common and everyone, including board members, knows it. They’re right to hold CEOs and CISOs accountable for real world results. At the same time, we’re entering a time when many economists foresee a recession and people are already being laid off. No matter how big the problem, it is possible to waste money on the security budget. People’s jobs and equity values are at stake.
I asked a group of security executives about this recently on LinkedIn. Some are or were CISOs, some CEOs, and they’re all at least CISO-adjacent. There were many good answers, probably too many to relate here. But below are some of the better ones.
Risks and benefits
Chenxi Wang, Ph.D., Founder & General Partner Rain Capital, asks two questions: “What risks to the company are addressed by these budget items?” This is a straightforward and reasonable question, and it should be easy to answer. The CISO should include numbers on how the risks have manifested in recent years.
“What success metrics should we use to measure if the budgets are allocated optimally and for reporting (to the board, for instance).” Answering this correctly requires a lot of work, and a good CISO will have done that work. How to answer it may be different for different companies.
Security effectiveness
One suggested – why have many of our previous annual investments in security tools failed to fix the problems and reduce risk sufficiently? This is a good and perfectly fair question and raises some other good ones. Perhaps it would be better to ask how the effectiveness of a particular proposal fits with a plan we can measure over time.
You might also ask how well we know our security (products/services/practices) are working as intended. Are there good measurements of these things? What do you mean I have to buy another product to get that answer?
It’s worth asking what happens if the CEO and/or Board reject the budget as proposed, and then it’s a bad security year. Who’s responsible? A situation like this is fertile ground for blame-shifting. A thoroughgoing post-mortem will provide some insight, but it will probably be impossible to say that the incidents would have been prevented if only the budget had been approved.
But, assuming people act from good motives, the only way to get a correct answer to this question and the best way to have a successful post-mortem is to have robust metrics in place and rigorous measurement of those metrics according to the plan. The CEO should insist on this capability, which is increasingly automatable.
Security priorities
Then there’s the direct approach: “What would be your first three/five priorities, and in what order would you invest resources?”
This is a way of getting past setup and techno-babble to “what do you need from me?” I can imagine the CISO engaging in game theory, like, “I’m not getting number three/five, so what do I really need?”
The right way to ask this question is to flesh it out a bit: “What do you need to make the most impact towards those priorities? Is it budget, people in your team, people in other teams, leadership support, or external help?” Some of these don’t necessarily come with a budget, so maybe that will be welcome.
At the same time, it doesn’t come across as leadership. Should the CISO get to set all the security priorities?
Customer perspective on security
“What are the company’s prospects and current clients demanding relating to the internal security of the company?”
This is a great idea. Not only do you show the customers that you value them and their perspective, but they may have some excellent ideas that you wouldn’t think of from the inside. For the same reason, you may want to ask partners for their perspectives.
Don’t assume that the CISO knows the complete answer to this question. Others with more customer and partner contact may know more.
Are we eating our security vegetables?
You can’t blame a CEO for asking the CISO to demonstrate that high-level hacks won’t happen. “Can you prove that our most sensitive data (including C-Level Emails and Docs) is completely secure from password reuse and easy passwords? And that our most critical data is backed up and has been test-restored?”
“Prove” and “completely secure” are problematic here. It might be possible to prove that there are no simple passwords in use at the company, but there are probably very few companies where that is true.
Maybe a better question is, “are we doing all the basic things we know we should be doing?” A CEO would never ask, “are we sufficiently secure against the OWASP Top 10 threats,” but that would be a good one, probably one the CISO should be asking their own direct reports.
The CISO’s Guide to the CEO Budget Meeting
The flip side is that a good CISO should be ready to answer questions like these. There’s never a “meh” year for infosec; every year, there are vital priorities, the success of which could mean the success or failure of the company.
The CISO must convince the CEO that the problems you’ve identified are the ones that matter and that the solutions they propose are the ones that will address the problems. Even though the CEO doesn’t have a CISSP, their broader perspective may enable them to ask good questions.