How well do you understand the cybersecurity risks of the company you govern? Liability questions loom large for corporate executives and directors alike, especially when reports of a new high-profile vulnerability or breach start popping up in the media. Yet, many corporate directors struggle with understanding how the technical aspects of cybersecurity translate to business outcomes.

Spend time with a company’s chief information security officer (CISO) or chief information office (CIO) and you’ll probably get a laundry list of technical factors with specific metrics like the number of vulnerabilities present in the organization, how many unpatched systems exist, and how these numbers compare in different regions where the company operates.

While this information is useful, unless you understand the technology it will raise more questions than answers for you as a director. And, this kind of accounting doesn’t really answer the number one question every corporate director needs to ask about cybersecurity: Where are we exposed?

Why is this question so important? Because only by understanding the full scope of a company’s attack surface can you possibly help guide the business decisions that need to be made in the wake of an incident. So, how can you get the right answer to this question without having to wade through technical jargon?

The Answers You Don’t Need

Let’s look at two typical responses you may receive when you ask about where the company is exposed, and why these responses aren’t helpful to you in your role:

1. We have spotted 600 vulnerabilities on our 2,500 mobile devices. Whether this sentence is completed with technical details about your mobile devices, on-premises data center, cloud services, legacy systems, or new systems like IoT and edge computing, it is probably only part of your information technology (IT) infrastructure story.

   In order to know your total vulnerability picture, you need more than a snapshot of one or two parts of your overall IT infrastructure. Today’s IT organization is complex and layered. Even if your CISO is able to provide you with the exact number and type of vulnerabilities in each layer, you would struggle to understand what that means in terms of risk to the business.

2. Our cloud provider says that their cloud is secured. Cloud providers are not responsible by law for your company’s security or compliance with the same regulations to which your company is beholden. Ultimately the liability lands squarely on your company.

   Cloud providers typically are responsible for the security of their cloud, but not the applications and virtual machines you might place on their systems. So, while it is comforting to hear the steps cloud providers take to keep your data secure and in compliance, your company is not legally absolved from responsibility by those actions. A holistic view of your total exposure—including cloud apps and services—is needed so the cybersecurity team can add the necessary layers of protection. And, you need a holistic view in order to understand which of the organization’s business-critical IT services might be affected.

The Answer You Need

Security teams must truly look everywhere to ferret out all the vulnerabilities that exist. To accomplish this, they’ll need new tools specifically designed to sniff out new vulnerabilities as they appear in real time. This requires a strategic shift from deploying piecemeal security systems to embracing a holistic approach to discovery, reporting, and risk mitigation. By coming to terms with where your exposures are—or are likely to be—you reveal the larger picture of where the organization is most at risk, and what work needs to be done.

Only when a holistic cybersecurity strategy is in place can the organization’s security team give you the answer you need:“We have the ability to see our entire attack surface, including containers, web applications, servers and our industrial control systems. We are exposed to this vulnerability on 12% of our infrastructure. Our average time to address an issue of this magnitude is 18 days.”

The only way your security team can answer with this level of accuracy is to close the gaps in your security coverage and increase visibility. Every hidden corner of the company’s IT infrastructure must be illuminated and secured against threats. Only then can your security team produce reports which itemize specific vulnerabilities in cloud services and cloud environments, on-premises data centers, private and cloud environments, containers, industrial control systems, points of sale, HVAC, devices connected to the Internet from aquariums to smart TVs in break rooms, and anything else not typically handled by the IT and security operations teams.

Your CISO should use that list to provide you with a high-level overview of the systems and users which are most at risk, so you can urge management to plan the company’s next steps accordingly. Anything less will leave your security teams trying to mitigate risk in the dark. And that’s simply too big a risk for any company.

Want to learn more about key cybersecurity risk indicators, and what they mean to your business? Read our report, “Managing Cyber Risk: The New Mandate from the Corner Office.”