Crucial Questions From CEOs and Boards

80/20 outcome of picking a viable small set of metrics that represented the majority of the risk outcome. Leading metrics as opposed to even well calculated and modeled lagging metrics were the most transformational - especially when subject to Board limits (mandates).

Get your business units to pull help from security and not have security keep pushing improvements on them. The main thing is for the CEO to not just provide support and resources for the CISO but to actually change the dynamic by regularly expecting each business line executive or functional leader to be able to articulate at some appropriate leve

This is important because if you don’t know how well your software is controlled and you can’t routinely build and deploy it then you have limited agility, inability to drive security improvements with acceptable operating risk and many other factors that are crucial to cybersecurity.

what are our most critical assess and business processes, what risks do they face and how do we mitigate those, how do we monitor that risk mitigation to make sure it remains effective and who and how has deemed any residual risk acceptable? Finally, how do we independently challenge this to make sure we’re not getting too comfortable?