What I’ve Always Wanted to Ask a CISO (But Never Dared to)

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

Yesterday, on February 19, 2025, the local OWASP group in Hamburg represented by Dirk Wetter held another open meeting, hosted by CHECK24 Vergleichsportal GmbH with a great view of the Alster Lake. The same topic and format had already been successful at the local group in Frankfurt. Several prominent CISOs, including Julia Hermann and Dr. Tim Sattler, answered questions from an audience of numerous software experts, OWASP members, and other interested attendees.

Since time for such fantastic events always seems far too short, I decided to revisit the topics of this OWASP meeting and compile my own questions to CISOs and some potential answers here.

I’m very interested in actively promoting the intensive and necessary in-depth collaboration among software engineers, architects, designers, admins, security specialists, and everyone else, to keep advancing our teamwork to the next level.

Perhaps you, too, would enjoy continuing the discussion in more depth.

A heartfelt thank you once again to Dirk Wetter from the OWASP Stammtisch in Hamburg, who has once again done a fantastic job supporting the OWASP cause.

I. Emerging Threats & Trends

• Which new attack vectors are you currently seeing for modern microservices, and how are you preparing for them?
• How do you keep up with increasingly sophisticated ransomware techniques, especially in DevOps environments?
• How do you assess the growing number of supply chain attacks in software projects?
• What role do new regulations (e.g., NIS2, DORA) play in shaping your security budget and priorities?
• How do you ensure effective security awareness among development teams when new threat trends emerge?

II. Application Security (AppSec)

• How do you align secure coding standards with the OWASP Top 10 in collaboration with development teams?
• What methods do you use to scan software components for known vulnerabilities (CVEs)?
• How do you prioritize fixes for critical security holes when releases are under time pressure?
• What is the value of penetration testing compared to continuous security testing in the CI/CD pipeline?
• How do you incorporate secure coding trainings or Security Champions into the development organization?

III. Secure SDLC

• How do you ensure security is factored into the earliest planning phases of software projects?
• Which tools or frameworks do you recommend for automated security gates in CI/CD pipelines?
• How do you measure and track security-related technical debt in the development process?
• What communication channels have you established between developers and the security team for quick response to findings?
• How do you integrate Privacy by Design and Security by Design throughout the SDLC?

IV. AI/ML Security

• How do you protect ML models from manipulation and data poisoning throughout development and deployment?
• What role does Explainable AI (XAI) play in your security and compliance considerations?
• How do you handle the trade-off between performance and security for real-time ML services?
• Which governance processes have you introduced to regularly check ML models for bias and security vulnerabilities?
• How do you assess the increasing use of AI coding assistants (e.g., GitHub Copilot) regarding code security?

V. Managing 3rd Party, incl. OSS Risk

• How do you assess security risks when selecting open-source components before using them in production?
• What strategies do you use to minimize third-party dependencies and avoid lock-in risks?
• How do you handle zero-day vulnerabilities in popular open-source libraries, and how do you respond quickly internally?
• How do you integrate a reliable Software Bill of Materials (SBOM) into your projects to track dependencies?
• How do you evaluate external SaaS providers before integrating them into the company’s ecosystem?

VI. Cloud Security

• How do you practically apply the shared responsibility model in AWS/Azure/GCP within your organization?
• What measures do you take to enforce a least privilege approach in cloud environments?
• How do you manage containerized workloads (e.g., Kubernetes) and their security aspects within the cloud?
• What role do cloud-native security services (e.g., AWS GuardDuty, Azure Security Center) play in your strategy?
• How do you plan for business continuity and incident response across multi-cloud or hybrid-cloud environments?

Publication Note & Disclaimer
This article was originally published on LinkedIn on February 20, 2025 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.