A communication gap exists today between CISOs and the board of directors. As revealed in our recent report, two-thirds of IT and security executives say they know what kind of information to present to the board, however only two in five agree the information is actionable. There's a split in what kind of information they believe the board wants – whether it's quantitative vs. qualitative – and an overwhelming majority (81 percent) use manually compiled spreadsheets to collect data, which often leads to data being fudged, whether intentionally or unintentionally. CISOs simply dust off the data they collected at whichever point in time, present it and wait for the next quarter when reporting comes around the merry-go-round again. Meanwhile, the company's cyber risk posture may be getting worse, while their security blind spots expand.
CISOs should present quantitative data with context. For example, instead of simply providing a number of all of the vulnerabilities within the company's infrastructure, they may want to focus on those that directly affect the company's most treasured assets, and show the value at risk if those assets were compromised. They should explain the company's risk in a way that's traceable. For example, if they spotted a vulnerability with an associated threat to a treasured asset and therefore elevated the company's level of risk, they should be able to show where the data came from, when it was collected, who was informed at the time, what steps were put in place to remediate it and what the company should do as a whole to prevent it in the future.
Modern CISOs must give board members trustworthy visibility into the company's cyber risk posture, and must communicate with the board in the language of ‘risk' framed in the context of relevant business concerns. Otherwise, they risk being replaced.