No matter the years of experience in cybersecurity, security professionals are often in situations where crucial details are missing. Yet, we often hesitate to ask questions because we don't want to appear ignorant or don't know what to ask.

I captured my perspective on asking questions in a constructive way in a three-post series. Read the posts to learn how to use questions to succeed with the following cybersecurity activities:

  • Planning: Preparing for tactical and strategic projects to strength the security program.
  • Discovery: Assessing security, understanding requirements, investigating an incident, etc.
  • Persuasion: Getting buy-in from stakeholders, defending budget requests, and advocating your perspective.

I clarified what makes some questions "good" and some "bad" with the help of many real-world examples. My goal was to prepare security professionals to ask the right questions for advancing security projects.

I also presented on this topic at RSA Conference. You can watch the recording of this session:

Updated October 14, 2021

About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more