Skip to main content

The Vilkas Wire

10 Essential Questions Every Cybersecurity Leader Must Ask

Sep 11, 2025 · By Ben Rollin

Defender Tips
cyber chains

Cybersecurity headlines often highlight zero-days, supply chain compromises, or state-sponsored threats. But if you look closely at the root cause of most breaches, the "sophisticated" attack rarely takes a company down. It is the basics left undone: a forgotten asset, a weak password, or a backup that no one bothered to test. This is usually the case during our penetration tests and red teams, especially as more organizations have adopted sophisticated EDR and MDR tools and services. Often, when we peel back the layers and evade defenses, we uncover issues that could have been prevented if these key factors had been considered.

At Vilkas Cybersecurity, we consistently see organizations with expensive security tools undone by the simplest gaps. Strong CISOs and other security leaders separate themselves by being able to answer a clear set of questions without hesitation. If you cannot, attackers may already have the answers for you.

Every security leader should be ready to answer these ten questions.


1. Do we know our critical assets and where they live?

Every organization has "crown jewels": customer data, proprietary code, and financial systems. Yet many have not accurately inventoried where those assets reside. Shadow IT, cloud sprawl, and forgotten servers all create blind spots. You cannot protect what you cannot see.

2. Are we patched and scanning for vulnerabilities continuously?

Attackers thrive on old software. In fact, many ransomware campaigns exploit known flaws that have been public for months or years. Automated patching and scheduled vulnerability scans close the most obvious doors. Security leaders should insist on proof that patching is both current and verified.

3. How are credentials managed across the enterprise?

Credential misuse remains a leading cause of compromise year after year. Default passwords, accounts that never expire, and spreadsheets full of service credentials are a gift to attackers. Enforce password managers, rotate privileged accounts or set strong passwords, and audit for defaults regularly. It is not glamorous, but it is what keeps attackers out.

4. Is multifactor authentication enforced everywhere it matters?

MFA drastically reduces account takeover risk, but gaps remain. Service accounts, legacy apps, and privileged access often slip through the cracks. Attackers know this. Security Leaders need visibility into where MFA is actually enforced, not just where policies say it should be. We typically see MFA enabled on external services, but when organizations implement MFA internally on common services used for lateral movement, such as Remote Desktop (RDP), while locking down other services, it can make lateral movement more difficult.

5. Do we have an incident response plan, and have we tested it?

A breach is not the time to decide who calls legal, who notifies regulators, or how the board must be briefed if the unthinkable happens. A written plan is step one. Running tabletop exercises is step two. The organizations that recover fastest are the ones that have rehearsed their worst day before it happens.

6. Are backups resilient and tested?

Backups are often touted as the answer to ransomware. But when was the last time yours were restored under pressure? Many security leaders have discovered too late that backups were corrupt, incomplete, or reachable by the attacker. Backups should be immutable, isolated, and verified regularly through drills. It's not enough to check a box for an auditor that backups are being done; they should be tested periodically to ensure they're there and can be leveraged if needed.

7. How secure is remote access?

Remote and hybrid work are here to stay. Yet remote access often expands the attack surface in ways leadership does not see. VPNs without strong authentication, exposed RDP, or poorly segmented access can give an attacker an easy foothold. Secure remote access is now business-critical, especially in the post-COVID remote work era.

8. Are employees trained, and is phishing risk actively managed?

Technology cannot replace people as the first line of defense. Employees who are never appropriately trained on phishing or data handling become liabilities. Training alone is not enough; it should be paired with reporting mechanisms, simulated exercises, and filtering controls to build a culture of awareness. Training should be realistic and engaging, not the types of training employees groan and click through mindlessly, let the videos play out, and take the quizzes repeatedly to achieve a passing grade. Also, avoid ongoing phishing services that send out extremely unrealistic phishing campaigns. These can confuse employees and leadership, as sophisticated attackers will not use obvious tactics. Perform real-world exercises, targeted at key departments (especially those often engaging with external third parties such as sales and marketing professionals). Provide a thorough breakdown of the indicators of emails used in a targeted campaign and highly tailored training based on the risks facing different departments. A cookie-cutter approach is not enough anymore and risks making employees numb to real threats.

9. Do we have visibility into our cloud environments?

Cloud adoption has outpaced security for many organizations. Misconfigured storage, overly permissive access, and missing monitoring are common root causes of breaches. A well-versed security leader can explain precisely how their cloud environments are governed, monitored, and secured against drift.

10. Is cybersecurity strategy tied to business priorities and budget?

Security cannot survive on leftover funding or tactical one-offs. If the budget does not align with the real threats to your business, you are underinvesting in resilience. Strong security leaders tie strategy to business priorities and speak the language of risk, not just technology. Security should not be an afterthought, reactive, or a minimal checkbox exercise. All aspects of the environment, both internal and external, should undergo periodic rigorous manual testing to expose gaps, and any issues identified should be actioned appropriately and not left untouched in a forgotten report on a file share.


Closing Thoughts

These questions are not a complete framework but a reality check. Your organization is ahead of the curve if you can confidently answer them. If not, the gaps represent the exact paths attackers will take.

Security leaders earn credibility not by chasing shiny tools but by proving that the fundamentals are covered. At Vilkas, we see the same story play out across industries: organizations that take care of the basics first are the ones that withstand the storm.


Have a question about this article or a security challenge of your own?

Vilkas Cybersecurity helps organizations uncover and fix real-world exposures, not just theoretical ones. Fill out the form and we'll get back to you shortly.

Loading form…