5 Best Questions Boards Should Absolutely Ask Their CISO Every Quarter

There’s no more keeping IT isolated in its own department — technology plays a vital role in every business at every level, a fact that’s only become more obvious in the context of the growing prevalence of remote work. That’s why board members should be communicating with their CISOs on a regular basis. It’s easier than it sounds. Here are five straightforward CISO discovery questions any board member can ask to get the conversation started.

  1. When was the last test of disaster recovery, and what is not being tested?
  2. When was the last test of offline backups?
  3. When is the next penetration test scheduled?
  4. Have we addressed the SANS Top 20?
  5. What are your top cybersecurity needs and why?

The goal is to get your CISO into more of your board discussions to inform decision-making and facilitate the implementation of security-conscious practices. Once you start asking your CISO questions, you can begin to form an understanding of your current security posture and work with them to adopt a better cybersecurity approach. Watch the video below for more on this topic.


Ask your CISO these questions, learn about your security posture, and become their best advocate in the boardroom. As a united front, you can then bring in tools like SightGain’s to get a holistic view of your entire security stack and move towards a mindset of constant testing and improvement.

Learn More

Video Transcript

0:00 Intro
0:31 Measuring SOC Performance: SOC Metrics
1:29 Measuring SOC Performance: Top 5 Metrics SOC Leaders Should Look At
3:16 Measuring SOC Performance: SightGain Readiness Approach
3:41 Review

Security is hard, and the SOC director’s job has many components. You’re in a knife fight every day. So you need the right tools and information to know how well the SOC is performing. SightGain has studied this in-depth and our innovative SightGain readiness platform has enabled some SOC’s to go from catching less than twenty percent of malicious activity at the start of our engagement to over ninety percent in just a couple of months.

0:31 Measuring SOC Performance: SOC Metrics

Up until now, SOC metrics have focused on activity, not necessarily effectiveness. Traditional measures like the number of scans, the number of blocks, the number of tickets closed, and patching statistics have been the coin of the realm. But without context, this is just data, and it does not give insights into the actual performance of your cybersecurity system against the threats that everyone is there to stop.

I remember one large federal customer in particular. They had one of the biggest SOCs in all of the government. They were really proud of themselves in that they were blocking millions of malicious emails, stopping viruses left and right, and had a room full of fancy monitors and reports on overall status.

But do you know what? When we tested them against real malicious tactics, they only caught a small percentage of the things that they should have. So their normal metric showed that they were doing well. However, our tests showed that they had many blind spots. So we help them tune their systems and improve their performance. But organizations just need better metrics to know how their systems are actually working.

1:29 Measuring SOC Performance: Top 5 Metrics SOC Leaders Should Look At

We’re excited to talk about the top five metrics that we think every SOC leader should look at.

First, what percentage of your adversary techniques are we missing? This gets to the heart of effectiveness, and tells you across the mitre attack framework how many of these techniques are you catching, how many are you blocking, how many are you alerting on, and then at the end of the day, how many are you just flat out missing.

Second, what is our SIEM signal-to-noise ratio? When we do tests against the adversary tactics, how much other noise is out there? Is there an alert created for what we tested or not, and what else is happening in relation to that activity? Are we able to provide our analysts and our other systems with the information that they need to take good action based on that information?

Third, what percent of adversary techniques are we addressing through automated needs? So number one talked about effectiveness. This one gets to the heart of efficiency. We can’t really focus on efficiency until we’re effective. But we think as time goes on over the next five years, it’s going to be important to really focus on how much of our system have we automated in order to drive down costs, increase response speed.

Talking about speed brings us to our fourth metric. How fast and how often are responses occurring from tier one to tier three? Are we getting good triage from our tier one, and bringing that information up to the higher level tiers for the appropriate actions?

Finally, number five. What is the return on our investment for people, process, and technology? Are we a SOC that is operating at a high maturity level, or are we still building towards what the key ingredients are? By analyzing the return on investment, we can really identify where we need help[, and then how much that help should cost.

3:16 Measuring SOC Performance: SightGain Readiness Approach

The key to making all of this work is technology that automates testing against adversary tactics. By using these technologies to automate the testing and the ability to go across and proactively evaluate all of those mitre attack techniques, you can really have a robust understanding of how your system is going to respond at the time and place that it is required.

3:41 Review

Ok, so to review, the top five metrics that we recommend SOC directors look at. Number one, what percentage of adversary techniques are we missing. Number two, what’s our SIEM signal to noise ratio. Number three, what percentage of adversary techniques are we addressing through automated means. Number four, how fast and how often are we responding from tier one to tier three. And finally, what’s our return on investment for our people, process, and technology that are making the SOC operate on a daily basis.

Click the link below to find out how SightGain can boost your SOC metrics, and subscribe to our YouTube channel to keep pace with all of the innovations that we’re bringing to the market.

Learn more about the SightGain readiness platform: