BreachExchange mailing list archives
Are boards deaf to CISOs, or do they just not care?
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 1 Sep 2015 19:38:52 -0600
http://www.itworldcanada.com/post/are-board-deaf-to-cisos-or-do-they-just-not-care There is no doubt most members of a board of directors will shiver when told their organization has been the victim of a data breach. Ordinarily, however, they shouldn’t collapse. A well-briefed board should understand a network breach is unavoidable for any enterprise, so what matters is whether the organization is prepared. It’s the responsibility of the CISO to prepare the board for that inevitability. But do boards want to hear the message? Columnist George Hulme argues <http://www.csoonline.com/article/2978020/security-leadership/do-boards-of-directors-actually-care-about-cybersecurity.html> that a recent PriceWaterhouseCoopers survey on the state of U.S. cybersecurity suggests there are three types of organizations when it comes to board awareness: horrendous, adequate, and excellent. Nearly a third of respondents said their security leaders make *no* presentations at all to the board, while 26 per cent of CISOs, or their organization’s equivalent, provides an annual presentation to their board of directors. Only about 30 per cent of respondents said their senior security executives give quarterly cybersecurity presentations. One-third of survey respondents at small enterprises reported that they don’t ever advise the board on cybersecurity efforts. Perhaps that’s understandable since smaller organizations don’t see themselves as having large repositories of personal or financial data (a bad assumption). Still, Hulme says, a “shockingly high” 18 per cent of security leaders at larger enterprises don’t talk to their boards either. “While business leaders talk about how important cybersecurity is,” Hulme writes, “security laments that it’s not getting the tools and the resources needed to adequately secure the organization.” What should the CISO do? Earlier this year I interviewed Forrester Research analyst Martin Whitworth (see the link above to *CISOs are ‘ignoring the writing on the wall,’) *who told me security leaders have to work at cultivating board contacts to make sure their voices are heard, and to make sure they talk the language of business risk. But, as Greg Thompson, Scotiabank’s vice-president of IT risk told a Toronto conference earlier this year, <http://www.itworldcanada.com/article/sc-congress-use-linux-to-fight-malware-and-let-business-learn-security-speak/375337>that doesn’t mean they should make their messages simple. “We’re at the point now in cybersecurity where we should not be dumbing down our message,” he said. “We should not be talking in a language the business understands. The business needs to understand our language. Boards of directors need to understand our language.” Clearly CISOs still have some work to do to make sure their messages are heard at the board level — before there’s knashing of teeth.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Are boards deaf to CISOs, or do they just not care? Audrey McNeil (Sep 03)