The CISO's Three Questions Every Quarter
CISOs ask different questions than engineers. The right three drive the right work.
Q1: What changed in our threat model
Threat models drift. New products, new partners, new regulations move the threat surface every quarter.
Honest answer: changes you should have addressed but did not. Vague answer: nothing changed.
Q2: What did we discover too late
- Discovery delay is the most expensive failure mode. The longer between event and detection, the higher the cost.
- Honest answer: 1-3 specific incidents where detection lagged.
Q3: What is one less thing we own
Less surface = less risk. Decommissioned services; archived accounts; removed dependencies.
Honest answer: at least one thing per quarter you actively removed.
How to answer well
Ahead of the meeting: pick three concrete examples per question; do not improvise.
In the meeting: own the gaps; propose dated next steps.
Antipatterns
- Vague reassurance. Erodes trust.
- Listing every alert as a ‘discovery.’ Inflation.
- Adding things, never removing. Surface only grows.
What to do this week
Three moves. (1) Pick one production system to apply this pattern to first. (2) Measure the security signal before/after. (3) Document the gap and write a follow-up ticket so the program stays alive between quarterly reviews.