CISOs find themselves increasingly engaged directly with their Board and Executives because the Board and Execs see the volume and impact of security incidents increasing. In fact, Oxford Economics just reported that serious breaches permanently shave nearly 2% off public company value. This is in addition to the substantial expense ($4 million per breach on average) and turmoil organizations experience when incidents do occur. Executives and Boards are left wondering if management understands the risk – where it resides, how much it is, and whether it is being adequately addressed.
When CISOs get the call from their boards and Execs, they are often not able to answer these questions and to converse in a way the Execs and Board want. CISOs are extraordinarily adept at understanding security risk that arises around the technologies employed by their organization but translating their technical understanding into business terms can be difficult. Communicating technical risk into business risk is a paradigm shift for most organizations. Effective information security programs are becoming “Business Driven Security” programs.
RSA just released a Security for Business Innovation Council Report regarding this problem, “What Boards Want to Know and CISOs Need to Say” that discusses the translation of security leadership into board value. A Business Driven Security strategy is core to the translation of CISO technical expertise into Board terminology but it also enables CISOs to better understand where they should implement technical and organizational measures to protect the most important information to the organization. This understanding can be more easily conveyed to the Board and executive team before spending millions of dollars on security initiatives and human resources. It provides the what, where, how, and why they are spending the money, that it's being spent properly, on the biggest risks, and that there are procedures to monitor that the spend has been effective. In my next blog I will describe how you can use RSA Archer to drive a Business Driven Security strategy.