CEOs and company boards often ask Kevin Mandia, founder and former CEO of Mandiant, how to determine the strength of their CISOs. Above all else, Mandia advises executives to assess their CISO’s disposition.
“Do you have a CISO with a security mindset?” “If they don’t have that, you’re probably not going to have a great security program,” Mandia said Wednesday during his opening keynote at the Mandiant Worldwide Information Security Exchange conference in Denver.
Because organizations encounter cyberthreats in an asymmetric landscape, executives and boards rarely have the luxury of digging deep into their security leader’s management skills or technical acumen. For most organizations, cyberthreats are too imposing to get bogged down in low-impact exercises.
“There's very little deterrence in the cyber domain. We are all just playing goalie, and the attackers are in safe harbors with unlimited penalty kicks against us. It's a disadvantage,” Mandia said.
Private organizations typically don’t have the means to invest in offense, he said. “You have to constantly think about defense and how do we withstand the constant onslaught that's up against us.”
Over the past couple decades Mandia’s crafted a series of five questions designed to help executives and board members test their confidence in a CISO’s ability to excel in their job.
The questions on Mandia’s CISO confidence test include:
- How would you break into us? What is our weak spot?
- What is our worst-case scenario?
- What would you do if the worst-case scenario occurred?
- How resilient are we? How long would it take to recover our systems and applications?
- What do you need?
Mandia, who now serves in a strategic security advisor role at Google Cloud, said CEOs should focus on their CISO’s response to these questions as a measure of their demeanor.
“I tell CEOs, you don’t even care what the answer is to these questions as long as your CISO actually has one, because at least that means you have the mindset,” Mandia said.
