The top 11 questions that every CISO should be able to answer

by

We recently polled some of our top security experts and engineering leaders to find out what critical information is required to secure their businesses and manage their resources effectively. We specifically asked, “What are the top questions you need to answer about your business?” Part one of this two-part series will look at these top questions from the perspective of the Chief Information Security Officer (CISO/CSO) who in many organizations is responsible for everything related to security.

CISOs must answers a broad set of questions that span the security function 

Since all of security bubbles up to the CISO, their areas of concern are fairly wide ranging. The CISOs we polled had a broad set of questions that included priorities, security controls, risk, critical assets, vulnerabilities, identity and access, and compliance.

We were left with eleven questions after compiling and deduplicating the responses, which we think every CISO should be able to answer. This is by no means an exhaustive list, but it can serve as a good indicator of what other security leaders are paying attention to. Let’s look at some specific areas of concern and related questions raised by the CISOs we interviewed. 

Asset management 

Asset management includes knowing where all of your physical and software-defined assets exist, compiling a complete inventory, and being able to interrogate them. These asset management questions from the CISOs show the importance of being able to define criticality, prioritize assets and findings, and map ownership, access, and vulnerabilities. 

The top questions related to assets include: 

  • Who owns (or is most likely to own) my critical assets and their associated findings?
  • Who or what can access my critical data? How?

Monitoring and detection

Continuous monitoring is an important aspect of security. Ensuring that networks, devices, servers, etc. have the correct detection capabilities is critical. This can include  everything from enabling logging to ensuring that your EDR tool is installed on all of your endpoints. This also applies to more than just physical assets and devices. Mature security teams must be able  to identify and monitor every asset in their environment. 

The top question related to monitoring was: 

  • Are my detection capabilities everywhere I expect them to be, fully capable, and up-to-date?

Vulnerability management

Vulnerability management is a key preventative measure for all security professionals. The theme of prioritization is evident in the questions below, which includes accounting for the type of resource, criticality, and the attack path or known exploit. Important metrics emerge as well. Vulnerability dwell time is the amount of time it takes to remediate a given vulnerability. Another key metric to track and report for customer support is the comparison of vulnerability dwell times to promised SLAs.

The top questions related to vulnerability management included:

  • What are my vulnerabilities or configuration issues, after they’ve been deduplicated and prioritized?
  • Who owns and has the ability to fix the assets and vulnerabilities?
  • What is my vulnerability dwell time and SLA adherence?

Risk management

Risk management is complex but is essential because it helps teams be better prepared to act. The risk-related questions proposed by our experts were a bit more open-ended. Knowing where the most important risks or attack paths are helps teams uncover the root of the risk to their organization.In addition, understanding how risk posture evolves  over time is an important indicator for CISOs, and can reveal a lot about the efficacy of the security programs and efforts.

The top risk management questions included:

  • What are my top risks?
  • Are we improving our risk posture?

Identity and access management and compliance

Identity and access management (IAM) touches on all of the topics discussed above. CISOs are concerned with: who has access to what, who should or should not have access, and who can fix issues. Controlling identities and access, as well as mapping them to compliance frameworks and regulations, is a critical piece of the security puzzle.

The top IAM questions included:

  • What tokens and roles are associated with which accounts? 
  • Do those comply with policies and security controls?

More questions than answers 

How confident are you that you can answer questions like these accurately?

Many security organizations are riddled with more questions than answers. If you can’t answer complex questions about assets, vulnerabilities, risks, or access, you’re working in the dark without sufficient light. Asset visibility is essential to security. Having confidence in the process and systems that you have in place to understand your resources and environments is an important step toward security maturity. JupiterOne helps you answer these questions and more. Contact us today to find out how. 

What are some of the critical questions and key metrics that your security organization is tracking? We’d love to hear how they compare to our experts. 

Kevin Miller
Kevin Miller

As Director of Product Marketing at JupiterOne, you can usually find Kevin researching competitors, digging into strategy, or collaborating with the product team on upcoming enhancements. With experience in FinTech, AppSec, and Cybersecurity, Kevin has a knack for simplifying technical concepts and communicating them effectively to the market.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.