Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
Consider this your opportunity to educate.
Question: How should I answer a nontech exec who asks, "How secure are we?"
Kurtis Minder, CEO of GroupSense: Depending on your relationship with your executive team, it might help to qualify the question first. Secure compared to what? Compared to similar companies of focus and size in the industry? Compared to NIST 171? Compared to PCI DSS? In order to measure something like this, it helps to have a reference baseline. Otherwise the answer is opaque and virtually meaningless. Regardless of the answer, it is important to convey that the threat landscape is fluid and security programs need to be also.
You should also use this type of question as an opportunity to educate. Say to the exec: "Before I answer that question, what's your nightmare? Which systems are you most concerned about being compromised?" Depending on the answer, you can educate the executive on your company's risk profile – what systems are most likely to be attacked, who is most likely to attack them, and what techniques are most likely to be used.
From there, you can then tell the executive everything you've done to mitigate that risk – but that you're never 100% secure because all it takes is for one employee to click on the wrong link in the wrong email, and all your security measures go downhill. Next, you can emphasize how everyone in the company has a responsibility to be cybersafe and keep the company secure – including the executive questioning you.
Related Content:
About the Author(s)
You May Also Like
Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024