What Questions Are CISOs Asking?

For security leaders, knowing where to go to find answers when you need them is important. Our Faculty serve as that clear-headed resource, enabling CISOs and their teams to accelerate their capabilities and make informed decisions. 

In this piece, we share examples of InfoSec questions posed by CISOs and other security leaders to our 80-plus member Faculty of security practitioners as part of our Ask-An-Expert service in the areas of executive communications, strategy, and resource allocation.

GET STARTED: CISO Compensation & Budget Benchmark Survey

CISO Question Categories

1) Questions About Communicating InfoSec to Executives

The information security function is becoming a greater area of focus for boards and executives, perhaps now more than ever. This heightened interest is well warranted given the prevalence of high-profile ransomware attacks and the potential risks such incidents pose, not just to security, but to the entire business. 

Downstream pressures and expectations call for more frequent and improved communication between CISOs and executive teams to better align security with the business – a trend indicated in recent Ask-An-Expert inquiries around the topic of executive communications: 

• Getting input on M&A risks to share with leadership, specifically: how to prioritize, how to do a "before" checklist and how to communicate risks to leadership before making a purchase. 
• Calling for examples of redrafting, packaging and selling a cybersecurity roadmap to top executives. 
• Asking about tracking information security metrics that matter most to executive leadership and learning how to best communicate those metrics to a new CIO and the board. 
• Seeking advice on developing relationships with the board of directors, specifically asking for help building trust and rapport. 

2) InfoSec Strategy and Roadmap Questions

The strength of IANS’ Faculty is not only its size, at 80-plus members, but also its scope. Our hand-on practitioners’ breadth of coverage spans from the “in the weeds” technicalities to high-level initiatives affecting the direction of the security program. Aggregated below are a small collection of sample inquiries around strategy and roadmap guidance: 

• Requesting input on a BISO program, including help creating a strategic roadmap and knowing what resources are needed to mature the program, how to scale and what other BISO models look like. 
• Leaning on Faculty advice for a first-time CISO during the transition, specifically focusing on what to do in the first 30, 60 and 90 days and guidance on how to foster better relationships between other business units. 
• Inquiring about broad strategic information security trends as part of a 2022 planning process, gaining insights into how other organizations are shifting their strategies (such as decreasing offensive security investments or increasing compliance work) and how the security team can help the organization think more broadly and strategically. 
• Searching for guidance on putting together a three-year security strategy, including core security programs and technologies, what the next few years will bring in cybersecurity and determining the optimal size of the security organization in relation to the size of a growing company. 

3) InfoSec Team Structure & Resource Allocation Questions

The IANS Faculty are also in a unique position because they constantly engage with other security teams across industries. This perspective means they can provide insight into what other security leaders are doing in terms of team structure and resource allocation. Examples of questions CISOs had in this space include: 

• Asking for advice on developing a process to determine cyber needs and what to spend money on over a three- to five-year period, including tech and human capital costs, planning methods to determine where capability needs are and measuring regulatory needs and the money to address them. 
• Understanding how a particular security team's size and model compare with similarly sized companies, as well as advice on changes that would improve the situation, including a recommendation of an ideal team size. 
• Searching for industry-specific insights into when a CISO should report into business rather than technology leaders, highlighting the benefits of this structure and understanding how these organizations operate. 
• Gaining insight on how to train new employees quickly, including recommended strategies, ways to organize a ramp-up program and how to effectively cater to individuals. 
• Inquiring input around staffing and new IT structure following a recent acquisition.

DOWNLOAD:  5 Attributes of Top-Performing CISOs

InfoSec Resources for CISOs

Every question asked of our Faculty, including the examples listed here, were responded to either via a detailed and action-oriented 1,000-word written report or a one-hour phone call. 

However, the topics covered in this piece merely scratch the surface of our coverage in the information security space. That is why our flagship Ask-An-Expert service gives CISOs and their teams on-demand access to our Faculty, enabling teams to submit an unlimited number of questions and receive an unlimited set of practical, actionable answers. With over 80 Faculty members, IANS can always find the right information security practitioner with the deep domain-level expertise required to respond to any inquiry, quickly and easily. 

Get in touch with IANS to learn more about how you and your security team can benefit from an Ask-An-Expert engagement.