The following is a guest post from Phillip Lee, cybersecurity advisor at Reisender. Opinions are the author’s own.
With the rise in cross-functional oversight and engagement in cybersecurity, leaders from all functional areas need to understand new security requirements. Below are some questions and ideas that will help CFOs better understand their organization’s security posture and influence their program maturity in the right direction.
I suggest you don’t simply hand these questions to your teams; pick one or more and use them to start a meaningful conversation. The insights you gain will help you understand your firm’s security posture. Asking these questions should also help your security team align their goals with the business goals.
1. How have we tested our incident response capabilities and what have we improved as a result?
When asking this question, look for responses that detail specific incident response exercises or simulations. Effective answers should highlight lessons learned from these tests and concrete improvements made to the incident response plan. These could include faster detection times, better communication protocols or enhanced recovery procedures.
2. How are we managing our cybersecurity risks and who is involved in our risk management program?
Responses should outline the risk management processes in place, such as regular risk assessments, threat modeling and mitigation strategies. It’s important to understand who is notified regarding these risks — this could be senior leadership, the board of directors or specific stakeholders. Look for answers that demonstrate a clear risk management approach and accountability.
3. Is the security risk management program integrated with our enterprise risk management program?
Integration is key for a holistic approach to risk management. Look for responses that show how cybersecurity risks are considered within the broader Enterprise Risk Management framework. This includes aligning cybersecurity initiatives with business objectives and ensuring that risk management practices are consistent across the organization.
4. Does our organization meet a specific security baseline, compliance or otherwise and why was that framework selected?
Acceptable responses include alignment and audit against a known security and/or compliance framework (e.g., ISO 27001, NIST CSF, SOC 2, CIS Top 18). The framework should be selected based on your industry, business needs and organizational risk. Answers that require follow-up will focus too much on why you don’t do/need this, be overly solution-specific (e.g., “We have a penetration test, we are good”), or show a lack of understanding of why the organization should do this at all.
5. How do we handle third-party risk management?
Responses should cover the processes in place for assessing and monitoring the security practices of vendors and partners. This includes due diligence, regular audits and contractual requirements for security standards. Inquire about how vendor risks are handled within the business partners, to ensure that desired vendors are not merely rubber-stamped regardless of their security effectiveness.
6. What significant exceptions to our security program have been made for any department, system or process?
This question aims to uncover gaps or exceptions in the security program. Acceptable responses should explain the rationale behind these decisions, such as cost-benefit analysis or risk prioritization. Be wary of answers that indicate a lack of oversight or understanding of the potential risks involved from one or more functional areas classified as out of scope.
7. What are our key performance indicators for cybersecurity and how are we tracking them?
Look for specific metrics that are used to measure the effectiveness of the security program, such as the number of incidents detected, response times and outcomes of security activities. Answers should also explain how these KPIs are reported and who reviews them. Look for answers that highlight KPIs tailored to your organization and a willingness to design KPIs for your needs.
8. What is our approach to threat intelligence and how do we use it to improve our security posture?
Look for answers that describe how your organization gathers, analyzes and acts on threat intelligence. This could include partnerships with threat intelligence providers, participation in information-sharing communities and integration into security operations. A well-rounded answer will highlight threat intelligence integrated into key processes, whereas a poor one will focus on threat feeds available to the team.
Leverage these questions with your team and see where they can take you. They are designed to give you a starting point to check in with your security team without getting into the weeds while making you, as a business leader, comfortable with the current state of your program. The responses to these questions will allow you to make informed decisions that impact your organization’s security initiatives and identify ways to further align the program to your business needs.
