Companies are increasingly ditching the antiquated approach of putting cyber security in its own “techie” corner driven by the “IT guy” who essentially only reports to himself because no one else can wrap their head around the topic. As noted in a recent Osterman Research survey, cyber security is a top-of-mind issue in the boardroom with the majority of board members ranking it as the highest priority surpassing financial, legal, regulatory and competitive risks. Today’s enterprises are staffed with security teams and C-level security practitioners who are responsible for facilitating a cyber risk program and reporting traceable, truthful metrics to the board. However, with this evolution, a communication gap has formed. The Osterman Research survey also reveals that more than half (54%) of board members agree or strongly agree that the data presented is too technical.
Chief Information Security Officers (CISO) are accustomed to thinking and speaking in their natural language – technology. To them, zero days, patches, vulnerabilities, firewalls, DLP, SIEM, and other tech-talk makes sense. Yet board members are well versed in another language – risk. They want to know about threats to their most valued assets, associated vulnerabilities and the probability of those two components intersecting so that they can make informed decisions to reduce the company’s cyber risk.
Our Bay Dynamics co-founder and CEO Feris Rifai recently spoke at the 2016 SINET Innovation Summit about this communication gap and how CISOs can shift their approach so that they think and speak risk.