The CISO's End-of-Year Questionnaire: How Do You Show Security Success

Posted on December 28, 2015 by RSAC Contributor

With the end-of-the-year looming, CSOs/CISOs have to update the Board of Directors on how the company fared security-wise over the past year. Todd Feinman, CEO and founder of data management company Identity Finder, provides a checklist to guide that conversation. How do CSOs show security successes?

The end of year boardroom discussion will focus primarily on 5 principal questions:

1. Were there any security incidents or even damaging breaches that were unforeseen?

2. Was the risk of a future breach of sensitive data reduced?

3. Were the needed security investments reduced or at least made more efficient?

4. Are we able to quantity cyber-risk and costs on financial terms?

5. Can we insure ourselves against any residual risk we can’t manage to cover ourselves?

If the ability to measure risk, measure cost, and introduce technologies that help with both could not be demonstrated by the CISO, 2016 will be the year that these business objectives are driven from the boardroom.

One area of questioning will be around the need to protect the organization’s data crown jewels—it’s sensitive or valuable data. That could be data that is either governed by regulations or that is too valuable to the organization to lose, and thus needs protection.

To safeguard an organization’s sensitive data, here is the checklist that successful CISOs will be following to understand the Who, What, Where, When, and How of sensitive data:

1. Where is all our sensitive data?

In 2015 many organizations could not answer this question and that led to misappropriation resources in the form of security controls being used broadly across the entire organization, resulting in increased cost to acquire and utilize.
Risk and cost reduction necessitates knowing where sensitive data resides and strategically applying the appreciate controls.

2. Who amongst our employees has access to our sensitive data?

Simply knowing who has access to a document or file server stops short of understanding what they have access to.

3. What is the nature of the information that makes it sensitive?

Are we protecting the information that is of most value to us or are we only covering the basics of PII, PCI and other regulatory mandated data types?
Successful CISOs will include company-confidential, proprietary trade secrets and intellectual property as part of their security strategy.

4. When has the sensitive data most recently been audited for obsolescence, necessity, access control, and governance (ownership)?

Not all information needs to be kept indefinitely, and for information that does, are we auditing its use and access? Shrinking the sensitive data footprint of an organization can reduce cost.

5. How likely is it to be leaked, if we were hacked?

Measuring the risk associated with keeping sensitive data will propel successful CISOs by allowing them to implement technologies and processes that will both reduce the risk and reduce the cost associated with protecting sensitive data.

Any CISO able to deliver answers to these questions to the board will enable them to clearly articulate the risks and costs associated with cyber security, and the confidence that the latest techniques and technologies are being used to manage them.

Contributors

RSAC Contributor

, RSAC

Business Perspectives

big data analytics risk management data security

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.