For CISOs to gain the support of the board, they must first translate and report highly technical cybersecurity concerns and solutions into a language that can be understood by less technical businesspeople. The quality of this reporting becomes directly proportional to the degree of board support and the subsequent implementation of enterprise cybersecurity.
CyberSaint, a risk management company, has talked to CISO members of the Advanced Cyber Security Center (ACSC) about this problem. The purpose was to uncover the challenges, opportunities, and effectiveness of risk reporting in large enterprises.
The primary challenges for CISOs are threefold: the technical complexity of the issues concerned, making it difficult for non-technical businesspeople to understand; the lack of any standard reporting metrics, making it difficult to compare performance across business units within an organization and industry peers in other organizations; and the time, expertise, and cost of reporting, causing many CISOs to resort to simple spreadsheets.
The three primary priorities that business leaders seek to understand are the management of strategic risk; the organization’s…
