\u201cAmy Pascal steps down as head of Sony Pictures\u2019 film business.\u201dThat banner displayed on my phone, sent by the Wall Street Journal. If they deemed it important enough to trigger a blast, chances are your executive team knows about it. Maybe it matters to them.This is an opportunity for the security leader.As it makes headlines, Pascal\u2019s departure is an excellent conversation starter with fellow executives. The key is engaging as a leader and focusing on how a highly public story matters to your organization.Be cautious in suggesting Amy Pascal lost her job because of the actual breach. As with any announcement wrapped in the headline of \u201csecurity breach,\u201d this is no cause for celebration. The challenge is sifting through the nuance of what happened, how it was handled, and the fallout.First, note the language and a few details:Amy Pascal is \u201cstepping down\u201d - she wasn\u2019t fired (even though the headlines imply as much)Her contract expires in March - makes for great timing to part ways and save faceShe\u2019s starting her own production company in May (at Sony) - so this is not likely the end of her careerSecurity breaches provide fantastic cover to handle otherwise unpleasant tasks. In this case, however, it does seem that the breach played a role in her departure. It appears that Pascal is stepping down \u201cto pursue other interests\u201d because of what the breach revealed.The breach, response, and subsequent handling are minor players. The larger issue and focus of the headlines was the nature of her emails and other information leaked by the attackers.With that in mind, here are three questions to frame the conversation security leaders need to have with executives and board members.1. \u201cWhat did you think of the announcement?\u201dThey may actually share some insights into the way boards and executives handle such events. Perhaps they have little opinion. There is no right or wrong answer. The key is absorbing what they say, and paying attention to what they don\u2019t say.This is your starting point for the conversation. Then pivot to your organization.Explain that while the lack of focus on security may have played a role, you see it as more indirect. Pause for just a second. Give them a chance to react. Consider their response.Aside: it\u2019s a bit unusual for a security leader to suggest that an action in the wake of a breach may not have been directly related to security. This is important because it demonstrates your capacity as a leader to look at a bigger picture and draw on additional expertise.If necessary, point out that the interest in Sony tended to focus on salaries, contracts, scripts and the personal and sometimes crude emails of the executives.2. \u201cIs there anything in your emails and files that, if exposed, would get you fired?\u201dThis is a direct and specific question that has a tendency to make people uncomfortable. Leaders ask hard questions, but give people the space to process and come to the right answer. Some folks respond well, some don\u2019t.Ask anyway.Don\u2019t try to predict or prejudge the answer. The point is to seed the concept and see what it leads to. Focus the conversation on what matters to them.This is a chance to listen and learn. Don\u2019t lecture and bore them to death. Instead of focusing on what you\u2019ll say next, be present and participate in the conversation.If it\u2019s really uncomfortable, shift away from their personal embarrassment to ask about intellectual property or other areas of interest. Don\u2019t worry about technology unless they bring it up. Chances are, they won\u2019t.Listen to their words, make a note of what matters to them. This is what you and your team need to protect.3. \u201cIn the event we experience a breach, what are our priorities?\u201dThis is the opportunity to set aside the bias for breach prevention (link) and encourage others to do the same. Introduce the \u201cassume breach\u201d mindset and the importance of speed of detection coupled with accurate response.The nature of this question focuses on response. However, understanding the priorities (note: the board and executives may not always have the same priorities - a different challenge to address later), helps you to align prevention, detection, and response on what matters most.Making time for \u201cthe talk\u201dThe time for the talk is when the headline is still generating buzz. That means making time now.The key is positioning it as a conversation, not a lecture. Keep it brief. Bring the coffee and danish. Ask these questions and see where it leads. They should reveal some key insights you need to make sure you and your team are focused in the right areas. The conversation may even lead to more discussions and opportunities to make some needed adjustments -- to align with and protect the business. \u00a0As a security leader, this is your time to connect, learn, and influence. Have a good conversation and let me know how it goes.