Effective internal cybersecurity depends on chief information security officers (CISOs) and other security leaders knowing exactly what’s happening on their network and how it impacts overall protection. The problem is that when things are running smoothly, it’s tempting to go with the flow and avoid asking questions that might come with tough answers.

Here are four questions CISOs need to ask if they’re going to improve enterprise cybersecurity.

1. What’s Our Biggest Weakness?

The goal of cybersecurity is to mitigate vulnerabilities by identifying key weaknesses. Unfortunately, these IT issues aren’t always easy to spot in the CISO role given the amount of non-tech responsibility now owned by these executives. As Security Roundtable noted, the past few years have seen the CISO role evolve from one of risk manager to business enabler, in turn forcing a shift of both perspective and process.

As a result, CISOs must be willing to ask IT teams tough questions about where enterprise cybersecurity is effective and where potential weaknesses exist. Some of the most common include:

  • Cross-site scripting (XSS)This attack vector remains one of the most successful and lucrative for malicious actors. Almost 28 percent of all bug bounties in 2018 were paid to white-hat hackers who discovered dom-based, reflected, stored and generic XSS vulnerabilities, according to HackerOne. What does this mean for CISOs? Even if they haven’t been a problem yet, XSS flaws almost certainly exist on the corporate network. Better to find them ahead of attackers.
  • Multifactor authentication (MFA)While introducing two or more factors for authentication significantly increases overall security with minimal disruption to user login processes, many organizations remain hesitant to implement this process. Employee pushback is often a primary challenge, but while CISOs don’t want to fight an uphill battle for better cybersecurity, MFA is worth the work.
  • Insider threatsThe majority of organizations now consider internal threats on the same level as outsider attacks. This aligns with HackerOne findings that information disclosure remains a top-three security weakness: Despite their best efforts, employees often represent the biggest weakness in enterprise cybersecurity. Improved education plays a role in reducing this risk, but CISOs must also take steps to limit privileged access and monitor user activity across corporate networks.

2. How Many Apps Are Really Running on the Network?

Shadow IT. It’s not any CISO’s favorite phrase, but remains a common problem for enterprises. Thankfully, IT teams often have a better handle on — or can find out — exactly what applications and services are really running on corporate clouds. The number is often higher than expected: CSO pointed out that the proliferation of privately managed application programming interfaces (APIs) is quickly becoming “the new shadow IT” as developers and users deploy these APIs without security controls or oversight.

Armed with this knowledge, CISOs must create a plan to deal with shadow IT by determining how much risk benefits the business and how much is too much. Here, three broad strategies apply to turn shadow risk into business benefit:

  1. Ban everything — The most time- and resource-intensive option, some CISOs choose to aggressively pursue and eliminate shadow IT. This requires a top-tier monitoring solution to detect and identify unapproved apps. In addition, CISOs must draft clear guidelines and consequences for staff failure to comply.
  2. Incorporate where possible — This middle ground requires a review of all applications currently in use with the intent to green-light secure software solutions. Here, soliciting user feedback is often the fastest to discovery — so long as it’s made clear that staff won’t face reprimands for coming forward with shadow application details.
  3. Design better solutions — Last but not least: Using in-house and open-source APIs to build applications that deliver key functions provided by shadow IT apps. The reasoning here is that shadow apps exist because employees can’t find the functions or ease-of-use they need from internal applications. By building out in-house alternatives, CISOs gain both security and critical network insight.

3. What’s the Cost of Improved Enterprise Cybersecurity?

Budgets matter, but so do outcomes. Here, CISOs must prepare themselves to hear the “bad news” of what it actually costs to improve cybersecurity.

In many cases, more personnel isn’t the answer. Not only are full-time employees expensive, but the growing cybersecurity skills gap makes it difficult to find best-fit candidates. Instead, CISOs are often better served by emerging technologies such as artificial intelligence (AI), identity and access management (IAM) and automation.

AI can help identify potentially malicious behavior, IAM solutions help limit the chance of an insider breach and automation significantly reduces the chance of human error. What makes this challenging for many CISOs is that solution, service and implementation costs vary across providers and industries, making it difficult to pin down exact cybersecurity spend.

As noted by Bank Info Security, however, it’s often more useful to look at the overall benefit of enterprise cybersecurity than the cost. While current predictions suggest that costs will outweigh direct infosec benefits sometime this year, the long-term benefits to IT security will continue to outpace spending. CISOs must also account for the cost benefits of what doesn’t happen to their organization.

According to Accenture’s “Ninth Annual Cost of Cybercrime Study,” 79 percent of businesses say new technologies introduce vulnerabilities faster than they can be secured. Meanwhile, IBM Security’s “2019 Cost of a Data Breach Report” found that data breaches now cost companies $3.92 million on average.

The bottom line is that costs avoided by securing networks and applications against potential breaches are more than enough to tip the scales in favor of intelligent cybersecurity spend.

4. How Do I Explain This to the Board?

The C-suite wants answers and actionable results. In turn, requests for bigger cybersecurity budgets often look like line items rather than line-of-business benefits.

Here, CISOs need to work with IT teams to create a narrative that frames IT security as a critical part of business success. It’s not always easy: Security Boulevard noted that just 38 percent of companies bring CISOs in on the ground floor of business discussions, meaning they’re often given limited time to make their pitch for enterprise cybersecurity needs.

According to Forrester, CISOs must help boards shift from “a culture of awareness to a culture of trust and understanding.” In practice, this means speaking to business rather than IT impact of potential security risks. Malware attacks don’t just limit network uptime; they could result in reputation loss and regulatory fines. Improved infosec integration doesn’t just streamline IT operations, it saves money every time an attack is identified at the perimeter or unauthorized access requests are refused by applications.

Knowledge Is Power

While discovering new weaknesses, shining a light on shadow IT, analyzing infosec costs and decoding the new language of C-suites isn’t always easy, tackling these top questions can help CISOs enhance enterprise cybersecurity and cement their role as essential business enablers.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…