Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Secure your productivity on any device, anywhere, any time.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Discover how Six Degrees has driven success for others.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » Five Cyber Security Questions Any CISO Should Be Able to Answer in 2022
Changes to working patterns, cyber risks, and technology all demand change. But with more investment and greater scrutiny comes more questions from more people.
Your ability to provide the right answers will determine how cyber security is perceived within your organisation — and how you are perceived as a leader.
Although the specifics will always vary, there are a handful of very common questions — or at least question types — that are worth your attention. Understanding these questions, why they are asked, and the best kind of response will help you provide the right answers at the right time.
This is our guide to the most common cyber security questions you’re likely to encounter in 2022, and that any self-respecting CISO should be ready to answer. Let’s get started.
Cyber security is all about risk management. Getting questions about risk exposure and the effectiveness of your mitigation strategies will be common. But these queries can also be rooted in misunderstanding.
Are we 100% secure? Can you guarantee that it will work? Are you sure?
This question is about peace of mind, but it’s also often rooted in a misunderstanding about the fundamentals of cyber security. The person asking this question wants to understand the level of risk — but, more likely than not, they just want you to take away uncertainty.
Use specifics to explain where there are tangible benefits, but make sure to reset this person’s expectations. For example, “Cyber security is not about guarantees, it’s about risk management and threat reduction. But I can assure you that these steps will benefit us, and will do so in the following ways…”
However, you can (and should) alleviate their fears by making it clear that uncertainty is part of your strategy. You can use this point to support greater investment in cyber. For example, “Although we never know what threats are around the corner, change, continual assessment and agility sit at the core of our strategy. Certainty isn’t a luxury we have, and that’s why we can’t become complacent.”
People know that there are risks, but they don’t often know how to quantify these risks, or what form they take. As a nexus of security expertise, leaders from across your organisation are likely to ask your opinion. It’s important to be prepared with specifics.
Can you tell me our biggest risks? What keeps you up at night? What should we be concerned about most?
This question is about risk management. It’s generally asked by someone who understands that risk is inevitable, and they want you to prioritise the challenges.
You want to be honest and you want to have an answer ready. Understanding your organisation’s risks is a significant part of your job. You may want to hedge your statement, highlighting that there are other risks. But you should have a specific answer to this question and be able to explain steps you have already taken to mitigate this risk, and steps you will take to further reduce the threat.
For example, “Outside threats always change, but my biggest concern recently has been … We developed a five step solution, the first two stages of which have already been executed. We have…”
News of a breach or cyber-attack can spread quickly. Security, in the abstract, is great. But business leaders are often just as interested (if not more interested) in how they stack up against the competition. There is a lot of value in looking at how you compare against the market, but it’s important not to overcommit to an evaluation before all the facts have come to light.
What happened at company X? How do we compare to others? How bad is it out there?
“If it bleeds it leads” — and most cyber security news items that filter out to the general public are scare stories. Board members and business leaders will read these articles and reports and understandably be concerned. This question is about better understanding the threat landscape and understanding your organisation’s comparative position in the market.
This question is a great opportunity to talk about trends, reasons to invest in improvements, and demonstrate the risks of not being prepared. However, you want to avoid speculating about the root causes of things that you don’t understand. Particularly when it comes to fast-moving news stories, you are likely to get questions about events before anyone understands what happened.
Address the question head on, but quickly double back to problems and solutions rather than speculation. For example, “I don’t want to speculate about that incident until more information is available. But I can assure you that we are watching the situation, and would be happy to follow up with you when we know more. However, this is just one more example about why taking our internal risks seriously is so important. I would highlight…”
It’s important that cyber security outcomes are effectively delivered. But cyber security investments can be expensive — and, be honest, there are a limitless number of investments that could be made.
An effective cyber security programme will rely on cyber security risk assessments and the triaging of threats. You need to be ready and able to explain the reasons you have made the investments you have, and explain why they are effective, and where more investments need to be made.
Are we spending enough? Are we spending too much? Are we allocating our resources correctly?
Board members want to understand how resources are being used, where cost can be cut, and where greater investment is needed. Communicating these key points is a critical part of your Board presentation — this question is generally about getting you to expand on one of these points.
Having an understanding of where more investments are needed and where, perhaps, investment can be cut will help you answer this question. Again, having a straightforward answer is best, and tying your answers back to business outcomes and strategy will contextualise your response — particularly if you’re suggesting greater investment is needed. Wherever possible, explain your goals in terms of business performance, not technology.
You can also use this question as an opportunity to address the fact that it’s not all about money. Cultural support, commitment to secure processes and organisational structure all matter. You might need to spend money upfront in order to train staff or develop a new strategy. But it’s really about how your organisation operates, not simply what it spends money on. You might want to stress the need for cross-departmental communication and support, not just funding.
There are no guarantees in cyber security. Breaches happen, and you need to be prepared for that eventuality. That means having a cyber response plan, and it also means being prepared to answer questions. You can be sure that if an incident occurs, it will be accompanied by a lot of questions.
How did this happen? What went wrong? You said you had it under control!
This question means that something went wrong. You might be informing the Board (or leadership) about this problem, or they might already know.
You have to take responsibility — but you should also note that incidents happen, that is the nature of cyber security. Use this as an opportunity to highlight the importance of continued vigilance and explain your plan of action to mitigate this risk in the future. Be factual, be ready to supply details, outline the weaknesses that were exposed and explain the steps underway that will reduce this risk moving forward.
It’s always good to answer a hard question head-on, and immediately. For example, if you’re in the middle of a presentation, don’t stick rigidly to your agenda at the expense of addressing questions as they arise.
Fundamentally, the better you understand the risk landscape, your organisation’s risk exposure, and your risk strategy, the easier it will be to respond to any questions that come your way. However, by studying these basic question types and why they are asked, you can quickly respond in ways that will resonate best.
How you communicate cyber security to leadership makes a big difference. If you want more details about how to talk to the board, check out our free resources — Board Presentation ToolKit: Cyber Security and Threat Management
As the UK continues to phase out 3G networks, businesses…
Whether they admit to it or not, most of your…
We are proud to announce that Six Degrees has not…
The Digital Operational Resilience Act (DORA) entered into force in…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.