First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

A CIO talks business sense about cyber security and the CISO

cyber security

Every so often, I see an interesting piece on Forbes.com. This time it is How To Talk To the Board About Cybersecurity.

A CIO shares his experience working with boards and advice on that challenge for CISOs.

Here are some useful comments (with my highlights):

  • If a CIO can’t effectively communicate budget requirements, or a CISO can’t articulate why the risk outweighs the efficiency that would be gained by rolling out a particular technology, it puts not only technical, but business operations and security, at risk.
  • … while security teams increasingly recognize the fact that breach prevention is a losing strategy, oftentimes the board is not quite there yet. Just as security teams are recalibrating their efforts towards detection, mitigation, and resilience, CISOs should encourage the board to look at how the organization is equipped to respond when the inevitable occurs—including how it will recover.
  • One of the most important things technical leaders can do in communicating with the board is to get on the same page ahead of time. In the day-to-day of security operations (SecOps) and IT operations (IT Ops), priorities often come into conflict. One is focused on performance, which requires speed and agility. One is focused on protecting critical assets and data, which can often mean strict requirements and lengthy evaluations.

But for the board, the only consideration is how these two things are supporting (or hindering) business operations.

  • CISOs and other security leaders do need to find ways to avoid being pigeon-holed as the team of “no.” If CISOs, together with CIOs, can demonstrate a clear understanding of business requirements and objectives and talk about what security measures need to be in place to achieve them, it reframes the conversation around “when” not “if.”
  • Ultimately Security is about tradeoffs: risk vs. reward, risk vs. speed. If you, as a technology leader, can demonstrate that you understand those tradeoffs and are capable of moving forward while balancing those risks, you will be seen as an asset to the success of your business, not a roadblock.

There are a couple of key messages here that I have been sharing for several years, including in my book, Making Business Sense of Technology:

  1. Talk to leadership in business terms: what is required to achieve business objectives, whether that is security or technology innovation?
  2. While reasonable precautions need to be made to prevent a breach, that is an impossible goal. The capable hacker will get in. The question is whether it will take your organization the typical 8-9 months to know what is going on, or whether you will be able to detect a breach promptly and respond appropriately.

I welcome your thoughts.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

Send to Kindle

, , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.