"Are we secure?" demands a yes or no answer to an infinitely complex problem. It's like asking "Are we healthy?" about a person—the answer depends entirely on what you're measuring and what you're comparing against.
The question forces security leaders into defensive postures. Nobody wants to say "no" to the CEO, so we focus on metrics that let us say "yes"—compliance percentages, tool deployments, training completion rates. We optimize for answers that sound good rather than insights that are useful.
The result? Security theater disguised as security strategy.
Consider the real cost: organizations take an average of 277 days to identify and contain a breach, costing $4.88M per incident (IBM Cost of Data Breach 2024). Most of these organizations could answer "yes" to "Are we secure?" right up until they couldn't.
The Questions That Actually Matter
After years of fumbling through binary security discussions, we've learned that better questions reveal better insights. Here are the questions that actually help assess and communicate risk:
"What's our blast radius if X goes wrong?"
Instead of asking whether we're secure, ask what happens when security fails. Because it will.
If our payment system gets compromised, how many customers are affected?
If an insider goes rogue, what data can they access?
If our main application goes down, what's our recovery time?
"What assumptions are we making about our security?"
This question reveals dangerous blind spots. Common assumptions that prove wrong:
"Our developers would never bypass security controls"
"Our cloud provider handles all infrastructure security"
"Phishing training means employees won't click malicious links"
"Our firewall prevents lateral movement"
Only 29% of organizations have visibility into security issues within their CI/CD pipelines (GitLab DevSecOps Survey 2024), yet most assume their development pipeline is secure.
"What would we do if our primary security tool failed tomorrow?"
Dependencies create vulnerabilities. Questions that reveal them:
If our SIEM went down, how would we detect threats?
If our endpoint protection failed, what's our backup plan?
If our security team got hit by a bus, who makes security decisions?
One security leader learned this the hard way: "Our entire security program depended on one person knowing how to configure our main tool. When he left, we realized we'd built a single point of failure disguised as a security program."
"How do we know our security controls are working?"
Different from "Do we have security controls?" This question probes effectiveness:
When did we last test our incident response plan?
How often do our security controls generate false positives vs. catch real threats?
What's our security tool utilization rate vs. deployment rate?
Security teams receive an average of 11,000+ alerts per month, with 67% going uninvestigated (Ponemon Institute, 2023). Having controls and using them effectively are different things.
Framework: The Risk Reality Check
Replace "Are we secure?" with a simple framework:
Current State: What are our top 3 security risks based on business impact?
Detection Capability: How quickly can we identify if these risks materialize?
Response Readiness: What's our realistic response time for each risk?
Recovery Plan: How do we minimize business impact if prevention fails?
This framework shifts conversations from compliance theater to business reality.
Better Metrics for Better Questions
Traditional security metrics (vulnerabilities found, patches deployed, trainings completed) don't answer risk-based questions. Better metrics include:
Mean time to containment for different attack types
Business process recovery time after security incidents
Percentage of critical assets with real-time monitoring
Security decision response time (how fast can we approve/reject security requests)
A retail CISO tracks "checkout availability during security incidents." His goal isn't zero incidents—it's maintaining business operations during incidents.
The Cultural Shift
Moving from "Are we secure?" to better questions requires cultural change:
From: Providing reassurance to leadership To: Providing realistic risk assessment
From: Measuring security activity To: Measuring security outcomes
From: Avoiding uncomfortable conversations To: Having necessary conversations before they become emergencies
One board member told us: "I'd rather hear about three specific risks we're managing than twenty metrics that make us feel good."
Start With One Better Question
Pick one critical business process and ask: "If this failed due to a security incident, what's our realistic recovery time and business impact?"
Then work backward:
What could cause this failure?
How would we detect it?
Who would respond?
What's our actual (not theoretical) response capability?
This exercise often reveals gaps between security confidence and security reality.
The Uncomfortable Truth
"Are we secure?" is a question that demands false certainty. Better questions acknowledge that security is about managing risk, not eliminating it.
The goal isn't to have perfect answers—it's to have honest conversations about realistic risks and practical capabilities.
As one CEO put it: "I don't need my CISO to guarantee we'll never get breached. I need them to help us understand our risks so we can make informed decisions about them."
Stop asking if you're secure. Start asking how you'll handle it when security fails. Because the question isn't whether it will happen—it's whether you'll be ready when it does.
