When we use the term ”investigation” usually the first things that springs to mind is the Police Force. Whilst anyone can look into problems, ask questions, try to work out what really happened, it is fair to say that the police have this down to a fine art.
However, when we look at how the police go about this, they don’t just ask questions. They pursue a line of questioning.
The choice of the right first question is of course imperative, but so too is active listening to the answer and posing the next question correctly, and the next and so on. This is the way true facts and situations are uncovered. The art is in knowing the questions to ask, when to ask them and building a probing and insightful conversational flow.
In the world of cybersecurity, the people who know the line of questioning to pursue are CISOs. They are the ones to investigate issues and get to the root cause, without fear or favour. They are the ones to discover if adequate controls are truly in place or not.
This doesn’t always make them popular (as every so often the police aren’t popular either) and sometimes security professionals can be seen as blockers to doing business; but this is usually because they have been brought in to remediate problems after they have happened rather than brought in first to try to prevent them.
There is no substitute for a real CISO and their effectiveness is best delivered at the start of initiatives and projects, not at the end or after an event occurs. That is when their line of questioning and experience will have the biggest positive impact on determining a business’ true cybersecurity posture.
So, do you have a CISO? Do you include them at the start of projects? Do you fully support them in their approach and line of questioning when issues occur?
If you don’t then it might be time to question yourself.