As CISOs gain stature and responsibility, the top security role only gets more demanding. In addition to having to continuously evaluate their security postures to determine what adjustments to make to adequately protect their organizations, today’s CISOs must align with the business in ways that enforce key business objectives — and bring questions and tradeoffs around risk management squarely in the spotlight.
To fulfill this increasingly complex remit at a time when personal liability has become a real concern, CISOs must continually assess not just their security stacks and postures, but also their teams’ cultures, the state and direction of the business at large, and their position in ensuring their organizations thrive despite myriad existing and emerging risks.
Here, thought leaders offer the 10 most pressing questions that security chiefs must answer as part of their ongoing security strategy and career growth plans.
1. Am I a business enabler or an impediment?
The security function can have a reputation for being the “department of ‘no,’” so CISOs should ponder whether they and their teams are living up to that name, says Sameer Ansari, managing director and global security and privacy leader at global consulting firm Protiviti.
“CISOs need to ask: ‘Am I seen as an enabler or a blocker?’” he adds.
CISOs who find that their executive colleagues avoid them or engage them only when projects hit their later stages are likely seen as impediments to business objectives rather than enablers of business success, Ansari explains. Similarly, CISOs who hear of initiatives through office chatter rather than as partners during planning sessions are probably seen as obstructionists, too.
Those who find themselves in such circumstances can turn that around, Ansari notes.
“Don’t just shut down ideas. Help them do what they want to do by being consultative and do it without judgment,” he explains. “Educate the business on the risks and let the business make the decision on how much risk it wants to take on. Or, if it’s outside the organization’s risk tolerance level, then say, ‘Let’s escalate this.’”
2. How can we achieve the right security balance for our company’s risk tolerance?
To play that consultative role, CISOs also need to ask and answer that question, says Vandy Hamidi, CISO of public accounting and advisory firm BPM.
“My role is to reduce risk in a way that enables the business to operate confidently while serving our clients effectively. If we lock everything down, we hurt the business, frustrate users, and lose agility. But if we under-secure, we expose the company to breaches, regulatory risk, and reputational harm,” he says. “To strike the right balance, we focus on understanding how the business operates, its priorities, its challenges, and its people. That means working cross-functionally to assess not just technical exposure, but operational impact.”
To do so, Hamidi’s team collaborates closely with business leaders and colleagues to align security with the business while ensuring client and organizational data is adequately protected. “It’s not just about technical safeguards; it’s about building trust, communicating risk in business terms, and making security a strategic enabler rather than a blocker,” he says.
John Denning, CISO at the Financial Services Information Sharing and Analysis Center (FS-ISAC), says CISOs could also ask themselves, “Is security supporting the business and protecting customers and clients at the same time?”
“CISOs need to balance the two,” he says. “As an example, we are seeing a rise in ‘smart friction’ — strategically-placed obstacles in the user experience designed to increase security and slow payment authorizations.”
3. What are the right metrics to present to the board?
CISOs need to demonstrate how they’re enabling the business, and that means identifying how to measure their work in ways that matter to the board, says Jeff Pollard, vice president and principal analyst with Forrester Research.
Data around the number of systems patched, mean time to response, and mean time to remediation don’t give the board any reason to think security is helping drive the business forward, he says.
Instead of using those, CISOs need to find metrics that speak to security’s role in supporting business objectives as well as metrics that enable better executive and board decision-making, Pollard says.
4. What does cybersecurity mean to the organization?
CISOs also need to understand where the security function fits within the organization so they can ascertain whether they have the power to affect the right actions, says Paul Caron, head of cybersecurity for the Americas at consultancy S-RM.
“Many times, CISOs are responsible for taking action on the risks at hand, but are they really in the seat to take on these challenges? Are they going to be supported and resourced accordingly? Do they really have exec-level support to be agents of change? These are all the questions that every CISO now especially needs to ask themselves and others,” he says.
In an era where “CISOs are, in fact, accountable for and can be held liable for organizations being unprepared for cyber incidents,” Caron says it’s imperative for CISOs to know whether they have the authority that should accompany that accountability.
“They should be reevaluating their assessment of how an organization views risk management and how much of a voice they are being afforded at the decision table. These are key questions they need to be very transparent with themselves on,” he says, adding that “a CISO without authority is the worst seat in the house.”
5. Am I effectively communicating technical risks?
CISOs should also ask themselves whether they’re able to put cybersecurity risks in terms that the business understands, Protiviti’s Ansari says.
He has seen security chiefs too often talk about risks in technical terms, but talking to other executives about the lack of cloud container security or misconfigurations, for example, won’t help them understand what’s at stake.
“That’s going to go over everyone’s head. Even today, when you more board members versed in cyber, they’d still be asking, ‘What does that really mean?’” Ansari says.
He advises CISOs to consider whether they’re really telling the security and risk stories in ways that the business will understand; he suggests CISOs ask trusted colleagues both inside and outside the security department for feedback to help with this task.
It’s worth the effort, he adds, because CISOs who tell better stories are more effective in conveying the business risks, which gets them more authority, resources, and alignment to business goals.
6. Does my team feel empowered to challenge me?
No single individual — even the CISO — can make the best calls all the time, so security leaders should welcome information on where their programs are falling short.
“So they have to ask themselves: Does my team feel empowered to challenge my decisions? Am I encouraging dissent?” Ansari says.
Ansari advises CISOs who find that their teams don’t feel they can speak up to work on their workplace cultures by encouraging discussion, responding positively to challenges, and seeking opinions. Simply asking, “I need other perspectives on this,” can help here, Ansari adds.
7. What do our customers want us to do for security?
CISOs are hearing from customers about their security priorities through the third-party security questionnaires that have proliferated in recent years, Pollard says. The questions give CISOs insights into what customers care about and what they want the CISOs’ organizations to do from a security perspective.
“If you understand that, you can build a business case for security,” he says, explaining that CISOs can use the cost of a security control sought by certain customers and the revenue generated by those customers to calculate the value of the security work. “CISOs need to map this out: How many customers ask this of us and what is the revenue they’re worth?”
8. Where does all the organization’s data really reside?
Aimee Cardwell, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group, knows firsthand the reason for asking this question, saying, “Experience has shown me in the most painful ways that data is somewhere I haven’t seen.”
She has discovered sensitive data tucked into invoice folders and in servers and databases from old shadow projects, for example. She notes, too, that CISOs may have data in unknown locations following company acquisitions and mergers. “And then you layer AI into that, and you may be leaking data you don’t even know about it,” she adds.
Brian M. Gant, associate dean of technology and assistant professor of cybersecurity at the John E. Simon School of Business at Maryville University, says CISOs need to continuously ask, “Where is the organization’s most valuable data and how are we protecting it?” and “Where are the keys to the kingdom?” to help them tackle this issue and ensure they’re adequately protecting sensitive data.
Nick Kramer, principal of applied solutions at global consulting firm SSA & Co., also advises CISOs to ask whether they have the needed insight into where the organization’s unstructured data resides and whether the data is appropriately protected. For example, he advises CISOs to get their organizations away from emailing attachments and instead sending links to documents housed in secure locations, getting files off worker devices and into those same secure locations, and implementing encryption.
9. How will AI impact my staffing?
In recent years CISOs have trained their security teams to support the secure use of AI by business teams. Now they need to adjust their own staffing strategies as AI becomes an increasingly prominent tool within the security department. “They need to be exploring, What is the impact of AI on my staffing? How is my organization going to be different?” Pollard says.
He says CISOs must consider how their team members will work alongside AI agents and whether they’re ready to effectively do so. And they should consider how staffing in the security operations center will change. For example, Pollard says AI will likely reduce the need for entry-level workers but may mean more level 2 analysts. That requires CISOs to think about how they recruit and train those senior analysts if fewer will be coming from level 1 SOC analyst positions.
10. What’s the next attack that could surprise me?
“What’s the next vulnerability or the next threat?” That, SSA’s Kramer says, is a key question to ask and answer.
CISOs, of course, have long been worried about zero-day exploits. They must continue to do so. But they also need to consider how their evolving attack surface and the growing sophistication of attackers can create holes in their security plans nearly instantaneously.
“My biggest fears are always what I don’t know, where am I going to be surprised,” says Cardwell, the Transcend CISO in residence.
To allay such fears, Maryville University’s Gant advises CISOs to ask “What is my attack surface?” and “Who is after me and why?” and use the answers to devise appropriate plans for safeguarding data and systems.
Another question to ask, according to FS-ISAC’s Denning is this: Do I have a defensive technology stack that is fit for purpose while aimed toward the future?
“Powerful new tools are arming bad actors to commit more effective fraud, ransomware, and DDoS attacks, among other threats,” he adds. “CISOs need to assess whether they have the right tools and talent to combat these threats and address emerging ones.”
For example, Denning says CISOs should be inventorying their cryptographic assets to prepare for the day when quantum changes all their plans.
Kramer says CISOs need to do more to get ahead of the future. He recommends CISOs appoint staff members to look around the corner, just as CTOs typically have people to study emerging technologies.
“CISOs are looking ahead, but too often they’re waiting until other people figure it out and tell them what to do, and that means the fixes are [determined] because of some successful attacks,” Kramer says. “But nowadays you have to have a view of experimentation and really trying to figure out what’s next, perhaps using simulation tools to find new attack surfaces.”