Five Cyber Security Questions Any CISO Should Be Able to Answer in 2021

Cyber security is critical to your entire organisation, but often poorly understood. 58% of businesses with more than 500 employees are increasing their investment in cyber security this year.

Changes to working patterns, cyber risks, and technology all demand change. But with more investment and greater scrutiny comes more questions from more people.

Your ability to provide the right answers will determine how cyber security is perceived within your organisation — and how you are perceived as a leader. 

Although the specifics will always vary, there are a handful of very common questions — or at least question types — that are worth your attention. Understanding these questions, why they are asked, and the best kind of response will help you provide the right answers at the right time. 

This is our guide to the most common cyber security questions you’re likely to encounter in 2021, and that any self-respecting CISO should be ready to answer. Let’s get started. 

Question 1: The assurance request

Cyber security is all about risk management. Getting questions about risk exposure and the effectiveness of your mitigation strategies will be common. But these queries can also be rooted in misunderstanding. 

How it might be asked: 

Are we 100% secure? Can you guarantee that it will work? Are you sure?

What it means: 

This question is about peace of mind, but it’s also often rooted in a misunderstanding about the fundamentals of cyber security. The person asking this question wants to understand the level of risk — but, more likely than not, they just want you to take away uncertainty.   

How to answer: 

Use specifics to explain where there are tangible benefits, but make sure to reset this person’s expectations. For example, “Cyber security is not about guarantees, it’s about risk management and threat reduction. But I can assure you that these steps will benefit us, and will do so in the following ways…” 

However, you can (and should) alleviate their fears by making it clear that uncertainty is part of your strategy. You can use this point to support greater investment in cyber. For example, “Although we never know what threats are around the corner, change, continual assessment and agility sit at the core of our strategy. Certainty isn’t a luxury we have, and that’s why we can’t become complacent.” 

Question 2: The risk inquiry

People know that there are risks, but they don’t often know how to quantify these risks, or what form they take. As a nexus of security expertise, leaders from across your organisation are likely to ask your opinion. It’s important to be prepared with specifics. 

How it might be asked: 

Can you tell me our biggest risks? What keeps you up at night? What should we be concerned about most?

What it means: 

This question is about risk management. It’s generally asked by someone who understands that risk is inevitable, and they want you to prioritise the challenges. 

How to answer: 

You want to be honest and you want to have an answer ready. Understanding your organisation’s risks is a significant part of your job. You may want to hedge your statement, highlighting that there are other risks. But you should have a specific answer to this question and be able to explain steps you have already taken to mitigate this risk, and steps you will take to further reduce the threat. 

For example, “Outside threats always change, but my biggest concern recently has been … We developed a five step solution, the first two stages of which have already been executed. We have…”

Identify Cyber Security Strengths & Weaknesses

Question 3: The landscape comparison

News of a breach or cyber-attack can spread quickly. Security, in the abstract, is great. But business leaders are often just as interested (if not more interested) in how they stack up against the competition. There is a lot of value in looking at how you compare against the market, but it’s important not to overcommit to an evaluation before all the facts have come to light. 

How it might be asked: 

What happened at company X? How do we compare to others? How bad is it out there? 

What it means: 

“If it bleeds it leads” — and most cyber security news items that filter out to the general public are scare stories. Board members and business leaders will read these articles and reports and understandably be concerned. This question is about better understanding the threat landscape and understanding your organisation’s comparative position in the market. 

How to answer: 

This question is a great opportunity to talk about trends, reasons to invest in improvements, and demonstrate the risks of not being prepared. However, you want to avoid speculating about the root causes of things that you don’t understand. Particularly when it comes to fast-moving news stories, you are likely to get questions about events before anyone understands what happened. 

Address the question head on, but quickly double back to problems and solutions rather than speculation. For example, “I don’t want to speculate about that incident until more information is available. But I can assure you that we are watching the situation, and would be happy to follow up with you when we know more. However, this is just one more example about why taking our internal risks seriously is so important. I would highlight…”  

Question 4: The performance quiz

It’s important that cyber security outcomes are effectively delivered. But cyber security investments can be expensive — and, be honest, there are a limitless number of investments that could be made. 

An effective cyber security programme will rely on cyber security risk assessments and the triaging of threats. You need to be ready and able to explain the reasons you have made the investments you have, and explain why they are effective, and where more investments need to be made.   

How it might be asked: 

Are we spending enough? Are we spending too much? Are we allocating our resources correctly?

What it means:

Board members want to understand how resources are being used, where cost can be cut, and where greater investment is needed. Communicating these key points is a critical part of your Board presentation — this question is generally about getting you to expand on one of these points. 

How to answer: 

Having an understanding of where more investments are needed and where, perhaps, investment can be cut will help you answer this question. Again, having a straightforward answer is best, and tying your answers back to business outcomes and strategy will contextualise your response — particularly if you’re suggesting greater investment is needed. Wherever possible, explain your goals in terms of business performance, not technology. 

You can also use this question as an opportunity to address the fact that it’s not all about money. Cultural support, commitment to secure processes and organisational structure all matter. You might need to spend money upfront in order to train staff or develop a new strategy. But it’s really about how your organisation operates, not simply what it spends money on. You might want to stress the need for cross-departmental communication and support, not just funding.  

Question 5: The incident response

There are no guarantees in cyber security. Breaches happen, and you need to be prepared for that eventuality. That means having a cyber response plan, and it also means being prepared to answer questions. You can be sure that if an incident occurs, it will be accompanied by a lot of questions.      

How it might be asked: 

How did this happen? What went wrong? You said you had it under control! 

What it means: 

This question means that something went wrong. You might be informing the Board (or leadership) about this problem, or they might already know. 

How to respond: 

You have to take responsibility — but you should also note that incidents happen, that is the nature of cyber security. Use this as an opportunity to highlight the importance of continued vigilance and explain your plan of action to mitigate this risk in the future. Be factual, be ready to supply details, outline the weaknesses that were exposed and explain the steps underway that will reduce this risk moving forward.

Be straightforward and be prepared

It’s always good to answer a hard question head-on, and immediately. For example, if you’re in the middle of a presentation, don’t stick rigidly to your agenda at the expense of addressing questions as they arise. 

Fundamentally, the better you understand the risk landscape, your organisation’s risk exposure, and your risk strategy, the easier it will be to respond to any questions that come your way. However, by studying these basic question types and why they are asked, you can quickly respond in ways that will resonate best.

How you communicate cyber security to leadership makes a big difference. If you want more details about how to talk to the board, check out our free resources — Board Presentation ToolKit: Cyber Security and Threat Management  

systems in place to prevent a breach

Subscribe to the newsletter today

Related posts

Six Remote Working Security Tips for Law Firms

Six Remote Working Security Tips for Law Firms

Today’s workspace extends far beyond your firm’s headquarters. Follow these

How Virtual Desktops Strengthen Your Cyber Security Posture

How Virtual Desktops Strengthen Your Cyber Security Posture

By using virtual desktops, your organisation can achieve agility while

Penetration Testing Best Practices in 2021

Penetration Testing Best Practices in 2021

2020 elevated the risk landscape. Uncertainty, fear, new ways of

The National Cyber Security Strategy: Looking Beyond 2021

The National Cyber Security Strategy: Looking Beyond 2021

In 2016, the UK government launched its five-year National Cyber