By: Christopher J Hodson MSc, M.Inst.ISP, CISSP
CISOs need to meet board members where they “live” – meaning they need to be talking about the same objectives if the metrics are to make sense.
Enron changed the world of finance and the energy industry forever, and the early days of the Equifax hack look as though this breach could change the face of the credit industry and cybersecurity forever. That a single company could amass so much financial information on an individual and be as poorly defended as it was just emphasizes the importance of communicating security and risk effectively to your Board of Directors.
As an infosec director, I’m often asked about the biggest challenges faced by CISOs. Again, and again, one key issue surfaces: the need for CISOs to deliver meaningful metrics to their Board of Directors. Boards that are not comprised of security professionals are increasingly funding new cybersecurity programs and initiatives without understanding what information they want or need. They call for metrics, and the CISO is left wondering which metrics to present that will mean something to the board.
To understand which metrics CISOs should deliver, CISOs need repeatable processes and an understanding of risk management. CISOs need to meet board members where they “live” — meaning they need to be talking about the same objectives if the metrics are to make sense.