Boardroom info security has been the “elephant inside the room” for quite a while, but is actually more prominent in boardroom conversations due to increased understanding of cybersecurity risks and dangers. As a result, the board has become increasingly demanding for the chief information security officer (CISO) and management teams.
However , CISOs must be prepared for the process of changing the board’s focus by technical to organizational problems and factors. In the past, cybersecurity topics were viewed as technological in aspect and often certainly not relevant to the board’s discussions. Time constraints in board events also help to make it difficult for all the intricacies that are necessary for effective oversight. Consequently, the board typically did not understand the information shown by managing or by the CISO. Actually according to a survey by These types of Dynamics, per cent of participants reported that they did not understand the cyber security information given to them by their enterprise.
The CISO must be competent to present www.greatboardroom.com/does-your-board-need-an-entrepreneur/ risk facts to the mother board in a way that is easy to understand and accessible, with no usual “geekspeak” that characterizes cybersecurity conversations. To do this, the CISO will need to develop a clear risk communication methodology which can be used throughout the organization. The FAIR model, for example , may be a valuable program in this regard since it helps to evidently communicate risk using quantifiable categories including loss event frequency and loss degree.
Moreover, the CISO has to be able to illustrate that cybersecurity is a business issue which it should be taken into consideration in light of the influence on revenue. For example , the CISO should be able to show you how a ransomware attack such as that experienced by Lansing BWL in 2016 could lead to lost productivity and a decline in customer trust, which could ultimately cost the company significant amounts of00 money.