Effective internal cybersecurity depends on chief information security officers (CISOs) and other security leaders knowing exactly what’s happening on their network and how it impacts overall protection. The problem is that when things are running smoothly, it’s tempting to go with the flow and avoid asking questions that might come with tough answers.

Here are four questions CISOs need to ask if they’re going to improve enterprise cybersecurity.

1. What’s Our Biggest Weakness?

The goal of cybersecurity is to mitigate vulnerabilities by identifying key weaknesses. Unfortunately, these IT issues aren’t always easy to spot in the CISO role given the amount of non-tech responsibility now owned by these executives. As Security Roundtable noted, the past few years have seen the CISO role evolve from one of risk manager to business enabler, in turn forcing a shift of both perspective and process.

As a result, CISOs must be willing to ask IT teams tough questions about where enterprise cybersecurity is effective and where potential weaknesses exist. Some of the most common include:

  • Cross-site scripting (XSS)This attack vector remains one of the most successful and lucrative for malicious actors. Almost 28 percent of all bug bounties in 2018 were paid to white-hat hackers who discovered dom-based, reflected, stored and generic XSS vulnerabilities, according to HackerOne. What does this mean for CISOs? Even if they haven’t been a problem yet, XSS flaws almost certainly exist on the corporate network. Better to find them ahead of attackers.
  • Multifactor authentication (MFA)While introducing two or more factors for authentication significantly increases overall security with minimal disruption to user login processes, many organizations remain hesitant to implement this process. Employee pushback is often a primary challenge, but while CISOs don’t want to fight an uphill battle for better cybersecurity, MFA is worth the work.
  • Insider threatsThe majority of organizations now consider internal threats on the same level as outsider attacks. This aligns with HackerOne findings that information disclosure remains a top-three security weakness: Despite their best efforts, employees often represent the biggest weakness in enterprise cybersecurity. Improved education plays a role in reducing this risk, but CISOs must also take steps to limit privileged access and monitor user activity across corporate networks.

2. How Many Apps Are Really Running on the Network?

Shadow IT. It’s not any CISO’s favorite phrase, but remains a common problem for enterprises. Thankfully, IT teams often have a better handle on — or can find out — exactly what applications and services are really running on corporate clouds. The number is often higher than expected: CSO pointed out that the proliferation of privately managed application programming interfaces (APIs) is quickly becoming “the new shadow IT” as developers and users deploy these APIs without security controls or oversight.

Armed with this knowledge, CISOs must create a plan to deal with shadow IT by determining how much risk benefits the business and how much is too much. Here, three broad strategies apply to turn shadow risk into business benefit:

  1. Ban everything — The most time- and resource-intensive option, some CISOs choose to aggressively pursue and eliminate shadow IT. This requires a top-tier monitoring solution to detect and identify unapproved apps. In addition, CISOs must draft clear guidelines and consequences for staff failure to comply.
  2. Incorporate where possible — This middle ground requires a review of all applications currently in use with the intent to green-light secure software solutions. Here, soliciting user feedback is often the fastest to discovery — so long as it’s made clear that staff won’t face reprimands for coming forward with shadow application details.
  3. Design better solutions — Last but not least: Using in-house and open-source APIs to build applications that deliver key functions provided by shadow IT apps. The reasoning here is that shadow apps exist because employees can’t find the functions or ease-of-use they need from internal applications. By building out in-house alternatives, CISOs gain both security and critical network insight.

3. What’s the Cost of Improved Enterprise Cybersecurity?

Budgets matter, but so do outcomes. Here, CISOs must prepare themselves to hear the “bad news” of what it actually costs to improve cybersecurity.

In many cases, more personnel isn’t the answer. Not only are full-time employees expensive, but the growing cybersecurity skills gap makes it difficult to find best-fit candidates. Instead, CISOs are often better served by emerging technologies such as artificial intelligence (AI), identity and access management (IAM) and automation.

AI can help identify potentially malicious behavior, IAM solutions help limit the chance of an insider breach and automation significantly reduces the chance of human error. What makes this challenging for many CISOs is that solution, service and implementation costs vary across providers and industries, making it difficult to pin down exact cybersecurity spend.

As noted by Bank Info Security, however, it’s often more useful to look at the overall benefit of enterprise cybersecurity than the cost. While current predictions suggest that costs will outweigh direct infosec benefits sometime this year, the long-term benefits to IT security will continue to outpace spending. CISOs must also account for the cost benefits of what doesn’t happen to their organization.

According to Accenture’s “Ninth Annual Cost of Cybercrime Study,” 79 percent of businesses say new technologies introduce vulnerabilities faster than they can be secured. Meanwhile, IBM Security’s “2019 Cost of a Data Breach Report” found that data breaches now cost companies $3.92 million on average.

The bottom line is that costs avoided by securing networks and applications against potential breaches are more than enough to tip the scales in favor of intelligent cybersecurity spend.

4. How Do I Explain This to the Board?

The C-suite wants answers and actionable results. In turn, requests for bigger cybersecurity budgets often look like line items rather than line-of-business benefits.

Here, CISOs need to work with IT teams to create a narrative that frames IT security as a critical part of business success. It’s not always easy: Security Boulevard noted that just 38 percent of companies bring CISOs in on the ground floor of business discussions, meaning they’re often given limited time to make their pitch for enterprise cybersecurity needs.

According to Forrester, CISOs must help boards shift from “a culture of awareness to a culture of trust and understanding.” In practice, this means speaking to business rather than IT impact of potential security risks. Malware attacks don’t just limit network uptime; they could result in reputation loss and regulatory fines. Improved infosec integration doesn’t just streamline IT operations, it saves money every time an attack is identified at the perimeter or unauthorized access requests are refused by applications.

Knowledge Is Power

While discovering new weaknesses, shining a light on shadow IT, analyzing infosec costs and decoding the new language of C-suites isn’t always easy, tackling these top questions can help CISOs enhance enterprise cybersecurity and cement their role as essential business enablers.

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read