Effective internal cybersecurity depends on chief information security officers (CISOs) and other security leaders knowing exactly what’s happening on their network and how it impacts overall protection. The problem is that when things are running smoothly, it’s tempting to go with the flow and avoid asking questions that might come with tough answers.

Here are four questions CISOs need to ask if they’re going to improve enterprise cybersecurity.

1. What’s Our Biggest Weakness?

The goal of cybersecurity is to mitigate vulnerabilities by identifying key weaknesses. Unfortunately, these IT issues aren’t always easy to spot in the CISO role given the amount of non-tech responsibility now owned by these executives. As Security Roundtable noted, the past few years have seen the CISO role evolve from one of risk manager to business enabler, in turn forcing a shift of both perspective and process.

As a result, CISOs must be willing to ask IT teams tough questions about where enterprise cybersecurity is effective and where potential weaknesses exist. Some of the most common include:

• Cross-site scripting (XSS) — This attack vector remains one of the most successful and lucrative for malicious actors. Almost 28 percent of all bug bounties in 2018 were paid to white-hat hackers who discovered dom-based, reflected, stored and generic XSS vulnerabilities, according to HackerOne. What does this mean for CISOs? Even if they haven’t been a problem yet, XSS flaws almost certainly exist on the corporate network. Better to find them ahead of attackers.
• Multifactor authentication (MFA) — While introducing two or more factors for authentication significantly increases overall security with minimal disruption to user login processes, many organizations remain hesitant to implement this process. Employee pushback is often a primary challenge, but while CISOs don’t want to fight an uphill battle for better cybersecurity, MFA is worth the work.
• Insider threats — The majority of organizations now consider internal threats on the same level as outsider attacks. This aligns with HackerOne findings that information disclosure remains a top-three security weakness: Despite their best efforts, employees often represent the biggest weakness in enterprise cybersecurity. Improved education plays a role in reducing this risk, but CISOs must also take steps to limit privileged access and monitor user activity across corporate networks.

2. How Many Apps Are Really Running on the Network?

Shadow IT. It’s not any CISO’s favorite phrase, but remains a common problem for enterprises. Thankfully, IT teams often have a better handle on — or can find out — exactly what applications and services are really running on corporate clouds. The number is often higher than expected: CSO pointed out that the proliferation of privately managed application programming interfaces (APIs) is quickly becoming “the new shadow IT” as developers and users deploy these APIs without security controls or oversight.

Armed with this knowledge, CISOs must create a plan to deal with shadow IT by determining how much risk benefits the business and how much is too much. Here, three broad strategies apply to turn shadow risk into business benefit:

1. Ban everything — The most time- and resource-intensive option, some CISOs choose to aggressively pursue and eliminate shadow IT. This requires a top-tier monitoring solution to detect and identify unapproved apps. In addition, CISOs must draft clear guidelines and consequences for staff failure to comply.
2. Incorporate where possible — This middle ground requires a review of all applications currently in use with the intent to green-light secure software solutions. Here, soliciting user feedback is often the fastest to discovery — so long as it’s made clear that staff won’t face reprimands for coming forward with shadow application details.
3. Design better solutions — Last but not least: Using in-house and open-source APIs to build applications that deliver key functions provided by shadow IT apps. The reasoning here is that shadow apps exist because employees can’t find the functions or ease-of-use they need from internal applications. By building out in-house alternatives, CISOs gain both security and critical network insight.

3. What’s the Cost of Improved Enterprise Cybersecurity?

Budgets matter, but so do outcomes. Here, CISOs must prepare themselves to hear the “bad news” of what it actually costs to improve cybersecurity.

In many cases, more personnel isn’t the answer. Not only are full-time employees expensive, but the growing cybersecurity skills gap makes it difficult to find best-fit candidates. Instead, CISOs are often better served by emerging technologies such as artificial intelligence (AI), identity and access management (IAM) and automation.

AI can help identify potentially malicious behavior, IAM solutions help limit the chance of an insider breach and automation significantly reduces the chance of human error. What makes this challenging for many CISOs is that solution, service and implementation costs vary across providers and industries, making it difficult to pin down exact cybersecurity spend.

As noted by Bank Info Security, however, it’s often more useful to look at the overall benefit of enterprise cybersecurity than the cost. While current predictions suggest that costs will outweigh direct infosec benefits sometime this year, the long-term benefits to IT security will continue to outpace spending. CISOs must also account for the cost benefits of what doesn’t happen to their organization.

According to Accenture’s “Ninth Annual Cost of Cybercrime Study,” 79 percent of businesses say new technologies introduce vulnerabilities faster than they can be secured. Meanwhile, IBM Security’s “2019 Cost of a Data Breach Report” found that data breaches now cost companies $3.92 million on average.

The bottom line is that costs avoided by securing networks and applications against potential breaches are more than enough to tip the scales in favor of intelligent cybersecurity spend.

4. How Do I Explain This to the Board?

The C-suite wants answers and actionable results. In turn, requests for bigger cybersecurity budgets often look like line items rather than line-of-business benefits.

Here, CISOs need to work with IT teams to create a narrative that frames IT security as a critical part of business success. It’s not always easy: Security Boulevard noted that just 38 percent of companies bring CISOs in on the ground floor of business discussions, meaning they’re often given limited time to make their pitch for enterprise cybersecurity needs.

According to Forrester, CISOs must help boards shift from “a culture of awareness to a culture of trust and understanding.” In practice, this means speaking to business rather than IT impact of potential security risks. Malware attacks don’t just limit network uptime; they could result in reputation loss and regulatory fines. Improved infosec integration doesn’t just streamline IT operations, it saves money every time an attack is identified at the perimeter or unauthorized access requests are refused by applications.

Knowledge Is Power

While discovering new weaknesses, shining a light on shadow IT, analyzing infosec costs and decoding the new language of C-suites isn’t always easy, tackling these top questions can help CISOs enhance enterprise cybersecurity and cement their role as essential business enablers.