How can CISOs improve communication with the board?


By Michael Hughes

The role of the CISO within the enterprise environment has not always been regarded as important, influential and necessary as it should have been. Given the current climate in which data is king and the capabilities of unethical hackers evolving at a constant rate, this is changing.

The Importanct of CISO

The primary purpose of a CISO is to secure the means by which businesses protect themselves from hostile actors who may be seeking to penetrate defences for a variety of reasons, from wishing to make a direct financial gain or cause reputational damage by leaking sensitive information to the public. Of equal importance is the evolving way in which data is collected, stored and analysed for business benefit. As endpoints multiply and the vulnerabilities of the enterprise landscape better highlighted, the need for CISOs to adequately illustrate an organisation's preparedness for an attack is vital.

CISOs are tasked with presenting meaningful security metrics to a Board of Directors who, if not exclusively, are typically made up of non-security inclined individuals. In order to circumvent such barriers to well informed and agreeable dialogue, the CISO must illustrate an organisation's security posture in a way which is both informative and highly tailored.

how CISOs can Succeed

The most effective way in which this can be achieved is by aligning security metrics with key business objectives, highlighting the cost-benefit of investment and ensuring they are fully briefed on the cost
of failing to protect against internal and external threats.

This, of course, is easier said than done as many CISOs continue to rely on presenting information in a way which many on the Board will find either impenetrable or unengaging. The most common ways in which CISOs fail to convey adequately is either by providing quantitative figures related to malware outbreaks and by using security non-compliance lingo which is foreign to those outside of the profession. Equally true is the commonly used traffic light system as a way in which to highlight an organisations risk matrix. Whilst moving away from the use of impenetrable InfoSec centred language is an understandable route to take, it does not provide enough actionable data and highlights a misunderstanding of the company’s true risk profile.

Growing Concerns

If InfoSec leaders wish to have their voices heard as loudly and clearly as is necessary, the CISO needs to be able to adequately breakdown and present on the key issues of visibility and business resilience. These primary concerns have remained constant over the last two decades and have only served to increase in sensitivity as the fourth industrial revolution tightens its grip on security protocols whilst simultaneously providing for greater opportunities. In a world in which cloud computing is the new normal, exponential growth in data collection is a reality and advanced persistent threats make headlines on a regular basis, now is the time to harmonise the role of the CISO at Board level.

Join us for ESRM UK

Rather than leaving the board to wonder why they invested in cybersecurity in the first place, CISOs must be prepared to answer fundamental security questions rather than view them as unanswerable. Whilst total security can never be achieved, there is certainly a space in which the dialogue between CISOs and the Board can be improved. Join us for our 10th biannual Enterprise Security and Risk Management conference in London on 26
March 2019. To register to attend, click here.