As things around us rapidly unfold in the cybersecurity realm, many “experts” are sprouting out of the woodwork. How do we distinguish between the real deal and the phonies? Some questions to ask every “CISO” –
- How do you ensure security policies, procedures, baselines, standards, and guidelines are written to address the information security needs of your organization?
- What is your strategy for implementing and operating computer incident response teams (CIRTs)?
- Describe your ideal information security awareness program.
- How do you ensure the information security awareness program is delivered in a meaningful, understandable way to the intended audience? How do you define “intended audience”?
- How do you define risk? How do you communicate risk to excecutive management so they fully understand the consequences?
- What is your strategy for staying abreast of emerging regulatory developments to enable response in a timely manner?
- How do you balance between acceptable risk and ensuring that business operations are meeting the mission of your organization?
So, you think you can CISO? Comment below with your answers to these questions.