The Essential Questions Every CISO Must Be Prepared to Address

Security is a critical aspect of any business. Security helps businesses effectively manage resources and keep the organization safe. To uncover the information required for successful security, we conducted a poll among some of our top security experts and engineering leaders. We asked the question, “What are the top questions you need to answer about your business?”

The Chief Information Security Officer (CISO/CSO) oversees all things related to security within an organization. As such, CISOs must have ready answers to a wide range of questions about different areas of security. These areas include priorities, security controls, risk, critical assets, vulnerabilities, identity and access, and compliance.

After compiling and deduplicating the responses, we found specific questions that every CISO must answer. These questions, which we will discuss in two parts, cover a broad range of concerns and provide insights into where other security leaders direct their focus.

In part one of this series, we will look at the following areas of concern and the questions raised by the CISOs we polled:

Asset management – Asset management includes tracking the location of all physical and software assets, creating a complete inventory, and interrogating the asset management solution. The concerns related to asset management highlight the importance of defining criticality, prioritizing assets and findings, and mapping ownership, access, and vulnerabilities. Some of the top questions include: “Who owns critical assets and their associated findings?”, and Who can access critical data, and how?”.

Monitoring and detection – Continuous monitoring of networks, devices, servers, and other assets  is crucial to effective security. This continuous monitoring includes enabling logging, deploying the correct detection capabilities, and ensuring that your EDR tool is installed on all endpoints. The top question related to monitoring is: “Are detection capabilities everywhere they should be, fully capable, and up-to-date?”

Vulnerability management – Vulnerability management is a key preventative measure for all security professionals. The questions related to vulnerability management highlight the importance of prioritization, identifying the type of resource, assigning criticality, and finding the attack path or known exploit. Key metrics include vulnerability dwell time and SLA adherence. Some of the top questions include: “What are the vulnerabilities, who owns them, and who can fix them?” and “What is the vulnerability dwell time and SLA adherence?”

Risk management – Risk management is complex but essential for preparedness. The top risk management questions were more open-ended and focused on identifying the most important risks or attack paths and understanding how the risk posture evolves. Some of the top questions include: “What are the top risks and is the risk posture improving?”

Identity and access management and compliance – Identity and access management (IAM) is a critical aspect of security. CISOs are concerned about who has access, who should have access, and who can fix issues. The top IAM questions focus on mapping identities and access to compliance frameworks and regulations. Some of the top questions include: “What tokens and roles are associated with accounts, and do the tokens and roles comply with policies and security controls?”


In conclusion, CISOs must have ready answers to questions about assets, vulnerabilities, risks, and access. These answers help create confidence in the security processes and systems and are an important step toward security maturity. Lucidum can help answer these questions and more. Contact us today to learn more.