Failure to Communicate Effectively With the Board


            CISOs are typically expected to present to the board of directors and give them an overview of security
            operations and the state of risks, as well as to make the business case for further security investments.
            Audit committees and chairs are increasingly requiring solid security metrics to prove a company’s risk
            level.  They,  too,  don’t  want  to  incur  risk  or  reputational  damage  related  to  their  own  accountability.
            However, such communication between boards and security leaders can be a stretch if a CISO struggles
            to effectively share knowledge that makes sense to corporate leadership, especially if intuitive reporting
            that is easy enough for board members to comprehend quickly is lacking. Additionally, there is often a
            disconnect between the security leader’s priorities and the board’s agenda.

            A 2017 report from risk management firm Focal Point Data Risk found that a majority of CISOs struggle
            to adequately convey the value of security to the board. Many CISOs cited board awareness of security
            (or,  specifically,  lack  thereof)  as  a  major  reason  why  it  is  difficult  to  communicate  security’s  value
            effectively.

            It is the CISO’s job to understand what the board values, learn to speak their language, and to make the
            case for security. And that means taking every opportunity to engage with executive leadership and board
            members  to  discuss  the  challenges  a  CISO  faces.  It  is  also  critical  to  explain  how  security  furthers
            corporate goals and serves as a business enabler. The CISO should demonstrate security’s value with
            concrete examples in a way

            the board and can relate to and understand. That means skip the deep analytics and talk to them in plain,
            understandable language when you have their ear. Use visual reporting when possible to show risks in
            an easily digestible format.


            Failure to Foster a Corporate-Wide Security Culture


            According new research from ISACA and CMMI Institute, CISOs are still struggling to make security a
            priority throughout their organizations. The Cybersecurity Culture Report found that just five percent of
            employees think their organization’s cybersecurity culture is as advanced as it needs to be to protect their
            business from internal and external threats.


            The  research,  based  on  more  than  4,800  business  and  technology  professionals  who  shared  their
            insights,  also  found  42  percent  of  organizations  do  not  have  an  outlined  cybersecurity  culture
            management plan or policy.

            What’s at the heart of an effective cybersecurity culture? It is an understanding among all employees that
            security is everyone’s business. Security awareness and behaviors are part of daily operations and it is
            considered a priority at the highest level. Unfortunately, in many businesses, this is still not the case as
            the research revealed that just 34 percent of respondents understand their role in their organizations’
            cyber culture.





                                 45