Over 35 years of IT security experience. Former head of US-CERT and currently the founder and CEO of MKACyber.No one is secure because you can never achieve what it means to truly be secure. This is as true of our physical lives as it is of our digital ones. That said, there are no limits to building security. We can all do better, but doing better in cybersecurity requires information.

Ultimately, you can only be as secure as you know, and this means different things to different people. Consumers have to know which of their various online accounts are valuable and require added security (two-factor authentication, login notifications, etc.). Workers need to understand, at least to some degree, how cybercrime and other malicious hacks play out in order to be responsible stewards of the data they handle at work. Security and tech professionals require wide varieties of specialized knowledge that we lack the space or time to explore here.

Of course, executives need to know, too. They need to know how to get to the bottom of how secure their businesses are so that they can effectively quantify risk. Similar to the impossibility of achieving secure, it’s impossible to avoid risk. And what poses more of a risk to modern businesses than cyber threats? You have to take risks. Operating a business with a connection to the internet is in and of itself a risk. What you can’t do is take risks in the absence of relevant information. In fact, there’s a word for uneducated risk-taking: gambling.

As this is a forum for executives, this seems to be the level of security that is the most appropriate to discuss. It also happens to be an area of security that I frequently think about as a longtime security professional and, in more recent years, a CEO and C-level technical executive.

I could go deep down into the weeds on this, but it’s not really necessary. As a CISO, or a CEO, or a CTO, or a CIO, or any other relevant leadership position — from managers to board members — you need relevant information to empower yourself to right-size security at your organization. More operationally, if you know your exposure, then you can determine if attacks are targeting the corporation or its employees. Thus, in this way, you need a security/IT/development team that is feeding you important data about your organization’s exposure to cyber risk. If there is an attack, you need to know the scope and impact of the attack. Are you losing IP? Are you at legal risk because of attacks targeting employees on your network? Are your competitors taking advantage of your weaknesses?

Cybersecurity is esoteric and seemingly opaque to the uninitiated, but executives only need to understand it at a macro level. They have to understand security is part of their business and that it’s a critical piece of every business — the fiber that holds a business together, in a sense. They don’t need to understand what a buffer-overflow is, but they need to understand who is targeting their network, why, what the possible outcomes of a successful attack might be and whether or not their security team has the ability to block or mitigate that attack.

In other words: There’s a level of security information that leadership needs to get, and it’s not the complicated bits of security. If your IT and security departments are organized, it’s easy to feed leadership the information it needs so that it can be confident about where the company is security-wise. Providing business leaders with the right information and metrics allows them to treat security like a business.