June 16, 2016 By Douglas Bonderud 2 min read

CISOs have a daunting task: They must not only manage IT security and investment, but also effectively communicate current cyber risk information and actionable strategies to the C-suite on a regular basis.

According to SecurityWeek, CISO longevity may now also be at risk because these tasks aren’t getting done. Approximately 59 percent of surveyed board members said that CISOs “will lose their jobs as a result of failing to provide useful, actionable information.” How do CISOs make sure they’re safeguarding company assets and translating this data into meaningful C-suite insight?

In the Know With Cyber Risk Information

With cyber risk now a top priority for organizations, 89 percent of board members say they’re “very involved” in making security decisions, with 74 percent receiving weekly risk updates, SecurityWeek reported. While CISOs are doing a better job of communicating the basics — 70 percent of executives understand what security pros are trying to get across — more than half still feel the information offered is too technical. IT experts, meanwhile, believe only 30 percent of those on the board are actually getting the message.

Not surprisingly, this leads to a disconnect regarding actionable information. While 97 percent of C-suite members believe they know what to do with cyber risk information, just 40 percent of security professionals say this information is actionable. In other words, both sides want the same thing — clear, timely, insightful data — but can’t agree on what it should look like or how it should be presented.

There’s bad news for CISOs, however: If boards don’t like the method, medium or message, the result may be a pink slip. Beyond lost employment and the hunt for a new security executive, however, this disconnect has a real-world impact on high-value initiatives such as big data projects. As noted by Infosecurity Magazine, 73 percent of these projects are put on hold because of “worrisome” security concerns.

Finding Balance

So what’s the root of the problem? Are CISOs simply unwilling to communicate in a way that satisfies board members? Or are C-suites too demanding when it comes to actionable cyber risk information?

Chances are the truth lies somewhere in between. According to CSO Online, for example, successful CISOs must fulfill four roles: the strategist, the adviser, the guardian and the technologist.

While they spend 77 percent of their time as tech experts and data defenders, many want to shift the balance and spend just 35 percent of their time in these roles. This would leave more room to develop new security initiatives and effectively communicate them to management.

Part of that shift relies on movement from the CISO, but the C-suite also plays a critical role. Right now, security budgets are often tied to the quality of security presentations. If risk isn’t articulated as desired or threats aren’t seen as dangerous enough, budgets are frozen or slashed. But with cyberattacks and malware on the rise, the suggestion that corporate networks are safe is ludicrous.

Constant vigilance and continuous improvement are necessary to protect critical assets. It’s important for C-suites to trust the judgment of CISOs — even if presentations fall flat. By giving them what they need to shore up defenses, security executives can spend more time developing and communicating new strategies instead of fighting IT fires.

Put simply, talk trumps termination. CISOs are under more pressure than ever to deliver actionable, insightful content at board meetings. Rather than showing them the door, however, it’s worth giving them room to work.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today