How to Empower Today’s ‘cISOs’
Dark Reading – Rick Holland
Many security and risk leaders have an uppercase “C” in their title, but there is nothing “Chief” about them. They are executives in title only, and â just like the bottom three finishers in English Premier League soccer â these security leaders face relegation. For Americans, this is the equivalent of being a last-place finisher in Major League Baseball and your entire team gets sent down to Triple-A ball. To be successful and to be taken seriously by their other C-level peers, chief information security officers (CISOs) need a different approach. Combining my years of experience as an industry analyst with my perspective as a CISO, here are three recommendations for empowering CISOs with a capital C. 1. Understand how your business generates revenue. 2. Understand your business risks and how to mitigate. 3. Make the most of your board presentation. Now that you’ve laid the groundwork for a successful board presentation, what specific metrics should you report on. Keeping in mind that you have a finite amount of time to present and you don’t want to overcomplicate the message, I suggest you focus on the following areas: Report on the program’s overall maturity using an industry-accepted framework (e.g., ISO 27001 or the NIST Cybersecurity Framework) to measure and track maturity and governance. Provide a high-level update to the board â for example, that the organization is at 60% maturity based on the framework Proactively control the narrative so as not to be seen exclusively as the bearer of bad news.

Provide overall metrics on trends. Report on the top three risks you are working on. Control the narrative and relate these to the business so that your board will understand that you are more than just a cISO.
Link: https://www.darkreading.com/threat-intelligence/how-to-empower-todays-cisos/a/d-id/1331865