Generally speaking, Chief Information Security Officers (CISOs) came up through the ranks of IT, corporate security or law enforcement, not the business management path. Now, CISOs have to evolve to think and speak like experienced business people. What’s going on? This infographic outlines four forces coming together to push cybersecurity leaders out of their normal skillsets and comfort zones.
Download a pdf version
[eBook] An Executives Guide to Cyber Risk Economics
5 Questions Boards Should Ask about Cyber Risk [Infographic]
Rise of the Business-Savvy CISO
Generally speaking, CISOs came up through IT or from a corporate security or law enforcement background.
NOW CISOS HAVE TO EVOLVE: TO THINK AND SPEAK LIKE BUSINESS PEOPLE.
WHAT’S GOING ON?
4 Forces are coming together to move CISOs beyond their comfort zones…
1. New Risk Landscape—Bigger, More Complex
The move to The Cloud and other technologies outside
traditional central enterprise control complicates security. Damages from cyber threats now go
far beyond IT and are now a major concern to senior management and boards.
Threats are escalating massively, from ransomware to data theft.
2. New Relation of Risk and Security to the Business
Cyber risk = business risk for management and boards as part of their
fiduciary and regulatory responsibilities. The rest of the business demands
communication in business terms = dollars and cents.
3. Old Models Not Cutting It
Asking for budget based on “
Fear Uncertainty and Doubt” (FUD) has become like the boy who cried wolf. “Qualitative” risk models with heat maps or “High”, “Medium” “Low” ratings
are too squishy. Compliance checklists
don’t give guidance on how to prioritize security efforts against risks specific to an organization.
4. Move to Proactive Choice on Risk
Companies have come to realize that
100% security is impossible. Therefore
risk posture is a choice. Organizations must make conscious, well-informed, cost-effective decisions on security investments.
The Bottom Line:
CISOs are meeting the challenges by
Helping organizations understand cyber risk in financial terms
Enabling cost-effective prioritization and spending decisions