When an Exec Asks: Are we Secure?
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP

At least once or twice a year an executive will ask "Are we secure?". That is an opportunity to engage and to gain their partnership and support.

The response to "Are we secure?" depends on your relationship with the exec and the risk tolerance of your organization.

Here are potential responses:

  • Are we secure?: Answering that question is a function of our cybersecurity program. We can discuss metrics, the risk register and risk tolerance of our organization.
  • Are we secure?: We have a cybersecurity program with assessments, scans, metrics and a risk register so risk is managed.

    In either case, it makes sense to suggest a 30 minute 1:1. Consider bringing slides to frame the conversation:

  • An overview of the cybersecurity framework
  • Top 10 risks in a scorecard format
  • Current annual goals
  • Multi-generational plan

    Be prepared to answer 'What do you need from me?'. Discuss how to partner together and cover existing meeting and communications routines. The exec may be interested in future 1:1s (e.g. quarterly or every six months).


    Click here for more professional development tips


    •