While some surveys show a high percentage of reporting to CEOs and boards, overall research indicates that CISO access to the board is not universal or frequent.
To combat such challenges and find the resources needed to engage in effective security measures, Clark advises CISOs to “create a narrative around how security enables the business, protects the business, supports the brand, and improves investor confidence.”
He says CISOs should measure and report on key indicators about risk and show how those and other security measures align with and support business needs and business strategies. Then use that to tell the story of safety and areas to improve.
“Leaders don’t want to convey bad messages to the board, and CISOs don’t want to be accused of creating a disaster, so they have to create and control the narrative. They have to learn to explain how they do business, how to protect the product, and then on the side where there are concerns, how to fix them and how to prioritize that work,” Clark says.
Clark worked with one CISO client who told the board that the security team had identified 98% of the sites that needed to be protected rather than how to identify the remaining 2%, what percentage of sites were protected, why it was important, what was needed to close the protection. gap, and the risk of not doing so.
“They have to say, ‘Here’s what we can do with our current budget, and if we want to do other things or things quickly, here’s what security will need,'” Clark said.
Such candid discussions, he adds, are well-suited to getting CISOs the resources they need to implement security measures that will help them get a few steps ahead of reaction mode.
Source link