Are boards deaf to CISOs, or do they just not care?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itworldcanada.com/post/are-board-deaf-to-cisos-or-do-they-just-not-care

There is no doubt most members of a board of directors will shiver when
told their organization has been the victim of a data breach. Ordinarily,
however, they shouldn’t collapse. A well-briefed board should understand a
network breach is unavoidable for any enterprise, so what matters is
whether the organization is prepared.

It’s the responsibility of the CISO to prepare the board for that
inevitability. But do boards want to hear the message? Columnist George
Hulme argues
<http://www.csoonline.com/article/2978020/security-leadership/do-boards-of-directors-actually-care-about-cybersecurity.html>
that
a recent PriceWaterhouseCoopers survey on the state of U.S. cybersecurity
suggests there are three types of organizations when it comes to board
awareness: horrendous, adequate, and excellent. Nearly a third of
respondents said their security leaders make *no* presentations at all to
the board, while 26 per cent of CISOs, or their organization’s equivalent,
provides an annual presentation to their board of directors.

Only about 30 per cent of respondents said their senior security executives
give quarterly cybersecurity presentations.

One-third of survey respondents at small enterprises reported that they
don’t ever advise the board on cybersecurity efforts. Perhaps that’s
understandable since smaller organizations don’t see themselves as having
large repositories of personal or financial data (a bad assumption). Still,
Hulme says, a “shockingly high” 18 per cent of security leaders at larger
enterprises don’t talk to their boards either.

“While business leaders talk about how important cybersecurity is,” Hulme
writes, “security laments that it’s not getting the tools and the resources
needed to adequately secure the organization.”

What should the CISO do? Earlier this year I interviewed Forrester Research
analyst Martin Whitworth (see the link above to *CISOs are ‘ignoring the
writing on the wall,’) *who told me security leaders have to work at
cultivating board contacts to make sure their voices are heard, and to make
sure they talk the language of business risk.

But, as Greg Thompson, Scotiabank’s vice-president of IT risk told a
Toronto conference earlier this year,
<http://www.itworldcanada.com/article/sc-congress-use-linux-to-fight-malware-and-let-business-learn-security-speak/375337>that
doesn’t mean they should make their messages simple. “We’re at the point
now in cybersecurity where we should not be dumbing down our message,” he
said. “We should not be talking in a language the business understands. The
business needs to understand our language. Boards of directors need to
understand our language.”

Clearly CISOs still have some work to do to make sure their messages are
heard at the board level — before there’s knashing of teeth.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!