A chief information security officer’s (CISO’s) role ultimately is to help their organization’s board of directors (BOD) understand the potential impact of cyber threats on the organization. When this strategic relationship is successful, the BOD can make informed decisions about risk management, including capital allocation and spending relative to industry peers. Effective communication to this end requires the CISO to meet the BOD members where they are regarding both perspective and priorities.
The BOD is responsible for overseeing the management and performance of the organization writ large, and they almost certainly are more concerned with financial and strategic risks than with technical details. The CISO, therefore, needs to clearly articulate the potential impact of cyber risks on the organization’s bottom line in a way that is relevant and understandable to the BOD. Doing so gives the BOD the information they need to understand the state of the organization’s security program, and establishes a relationship the CISO can draw on when discussing any need for strategic improvements and investments.
Five Guidelines to Building a Strategic Relationship
Every…
