Boardroom information security has been the «elephant in the room» for a long time, but is currently more visible in boardroom conversations due to increased knowing of cybersecurity risks and threats. As a result, the board has become increasingly demanding of the chief info security officer (CISO) and management teams.
However , CISOs must be well prepared for the battle of shifting the board’s focus right from technical to organizational concerns and concerns. In the past, cybersecurity topics were viewed as specialized in dynamics and often not really relevant to the board’s discussions. Time constraints in board get togethers also generate it difficult to pay all the detailed aspects that are necessary for effective oversight. Consequently, the board typically did not understand the information presented by administration or by the CISO. In fact , according to a survey by Bay Dynamics, 70 percent of respondents reported that they can did not understand the cyber security information given to them by their provider.
The CISO must be able to present check out here risk details to the plank in a way that is simple to understand and accessible, without the usual «geekspeak» that brands cybersecurity chats. To do this, the CISO should develop a very clear risk connection methodology which can be used throughout the organization. The FAIR version, for example , is a valuable program in this regard since it helps to clearly communicate risk using quantifiable categories such as loss function frequency and loss value.
Moreover, the CISO must be able to show that cybersecurity is a business issue and this it should be regarded as because of the effect on revenue. For instance , the CISO should be able to explain how a ransomware attack such as that skilled by Lansing BWL in 2016 could lead to lost production and a decline in customer trust, which could ultimately cost the company quite a bit of00 money.