CISO Perspective: Five Unusual Questions I’ve Been Asked by the Board

6a01156f8c7ad8970c01b8d2468809970c

As the Chief Information Security Officer (CISO) of Imperva, I head up the team that is responsible for security and compliance across the enterprise footprint and cloud operations activities for the company and its SaaS product lines.

I also have the responsibility to communicate to the Imperva Board of Directors and the senior management team about mitigating the risk of potential threats such as data breaches and thefts. These threats could damage our company’s growth prospects, bottom line and brand reputation, therefore I work with board members to ensure that strong programs are in place to respond to any incident, and I brief them regularly on cyber security.

While effective board communication is a shared responsibility between me and our CIO, questions often fall to me. It’s not unusual to be asked “Are we secure?” It’s unrealistic to think that any company can ever achieve a zero-risk state. There’s no guarantee a data breach will never occur, but I do my best to assure board members that major cyber threats will be mitigated and that we align with regulatory and industry security best practices. As a team, the CIO and I try to avoid propagating fear, uncertainty and doubt. Our credibility is essential.

From time-to-time, however, I do get asked some atypical questions. After all, online security impacts not only our company, but other areas of our lives as well. Here are a few questions I’ve been asked over the years:

  • My kid’s school published a policy requiring personal passwords are only to be shared when needed. Do they have the right policy?
  • What’s the best password manager app to use? My kid advised that I use this one. Are you familiar with it?
  • How do I know if it’s safe to click on a link in an email? (Probably a bad idea.)
  • How are we protected from CEO scams? Do bad actors actually use my name? (Yes, they do.)
  • Is the Red Team (hackers on the InfoSec team) after the board as well?

Remember that directors will ask questions, so be prepared with a response for various scenarios, especially the ones you hope they don’t ask. And answer the unexpected, like those above, with the same candor and expertise you normally would. Much of the responsibility for effective communication rests with the CISO, but board directors also have an obligation to ensure that dialogue is open, honest and generates valuable and insightful knowledge. We have a series of informational discussions on this topic on our blog, and hope you will join us in the conversation there.

Shahar Ben Hador is Chief Information Security Officer at Imperva and has been with the company since 2008.