Want to get ahead? Four activities that can enable a more proactive security regime
Although other surveys show a higher percentage reporting to CEOs and boards, the research overall points to the fact that CISO access to the board is far from universal or frequent.
To counter such challenges and get the resources required to engage in the proactive security measures, Clark advises CISOs to “create the narrative about how security is enabling the business, protecting the business, supporting the brand, and improving investor trust.”
He says CISOs should measure and report on key indicators around risk and show how those and other security measures align to and support business requirements and business strategy. And then use that to tell the security story and areas for improvement.
“Leaders don’t want to communicate bad messages to the board, and CISOs don’t want to be accused of catastrophizing, so they have to create and control the narrative. They have to learn to articulate how they enable the business, how they’re safeguarding the brand, and then on the flip side where there are areas of concern, how they can fix them and how they’re going to prioritize that work,” Clark says.
Clark worked with one CISO client who told the board that the security team identified 98% of endpoints that need protecting rather than saying how to identify the remaining 2%, what percentage of endpoints were protected, why it mattered, what’s needed to close the protection gap, and the risk of not doing so.
“They should say, ‘Here’s what we can do with our current budget, and if we want to do other things or things faster, here’s what security is going to need,” Clark says.
Such frank discussions, he adds, are more apt to get CISOs the resources they need to implement the security measures that will help them get a few steps ahead of reactive mode.