To get to the heart of any matter, you need to ask the right questions. Over the last few years, information security professionals are finally coming around to appreciate that “Are we secure?” is not the right question to ask in a risk analysis.
To that, the correct answer is always no. Most everyone generally understands that being 100 percent secure is an unattainable objective. Security always has to be balanced against cost and convenience, and real-world users really do need access to applications, data, systems and networks to carry out their assigned tasks.
“How secure are we?” is not the right question either. Not that this isn’t the question that C-level decision-makers and boards of directors actually ask of their information security leaders — it absolutely is what they commonly tend to ask, verbatim. But what kind of answer could be helpful for making more informed business decisions about security-related risks?