The “Great Disconnect between InfoSec and the Business”


A new piece from AuditBoard, Scaling ITRM: The Promise and Challenges of Risk Quantification, has a lot to recommend it.

They talk (correctly) about the Great Disconnect between CISOs and the executive suite. Their failure to understand each other leads to what cyber practitioners see as underfunding cybersecurity.

However, I believe their solution is wrong. There is a far better way.

They capture the problem very well when they say:

As technological transformation creates more business-owned digital assets — which contain massive volumes of sensitive employee, customer, and vendor data — information security teams shoulder the heavy responsibility of maintaining effective and resilient IT risk management programs. However, a common challenge many IT security leaders face is obtaining support from their executive peers for necessary investment in resources to manage critical InfoSec risk areas.

On the business side, executives admit to the difficulty of managing increased IT and security risk exposures in today’s fast-paced environment.

80% of executives surveyed in PwC’s 2022 Global Risk Survey report keeping up with the speed of digital transformation is a significant risk management obstacle.

Businesses that do excel in managing both upside and downside risks have the advantage of agility. Their…
