Security managers must clarify their communication with management and the board of directors and prioritize real risks. In France, 62% of CISOs surveyed say they faced difficulties in demonstrating the quantified impact of their cyber security strategy.
Like their colleagues in the IT department, more than half of CISOs who are responsible for their organization’s digital security, ” struggle to communicate this issue in a language their board can understand » according to Bharat Mistry, CTO of Trend Micro. This cybersecurity player’s latest international study, covering 2,600 CISOs, provides some interesting lessons.
In a remarkable indicator of the gap in perception between security teams and management, according to 80% of respondents, the board of directors would only be encouraged to act if a successful attack exceeds a financial loss threshold of €165,000. Even if this survey result must be weighed, it shows the path that remains to be covered to locate the impact of the attacks and align the strategies of these two parties.
Finally, this lack of consistency can lead to the one-time purchase of security solutions that do not solve the problems but add complexity and therefore unnecessary additional costs.
Internationally, 79% of global cybersecurity leaders say they have experienced pressure from the board to downplay the severity of the risks their organization faces. Of the respondents, 43% say that management and the board of directors are not aware of the importance of the risks, 43% say that they are perceived as negative and repetitive. Finally, 42% of CISOs believe they are considered too negative.
In France, more than half of CISOs believe that their managers perfectly understand the problems
Beyond this pessimistic picture, the survey provides a more optimistic counterpoint with
56% of respondents believe that their manager fully understands cyber risks. Enough to hope to improve communication. Note, however, that 62% of the panel said they had difficulty proving the benefits of their cybersecurity strategy.
Another significant indicator, in France, an overwhelming majority of CISOs, ie 90% of them, have a relatively clear idea of their organization’s appetite for cyber risks. We can guess that they do not attribute a high level to this risk appetite of management and the Comex, to remain measured.
As a reminder, according to three quarters of CISOs, successful cyber attacks have a very high impact in terms of financial and business risks. In terms of methods, things are clear, as 94% of CISOs have indicators to measure the importance of their cyber security stance.
The ways to improve communication with management are well known, but it is worth reminding them. First, security teams should use plain language, without too many acronyms or technical jargon. Next, the cybersecurity strategy must be aligned with the company’s goals. Of course, using relevant metrics (KPI) is an essential step.
On the other hand, it is better to report to the board on some elements but more often or according to the development of real and prioritized risks.
Finally, the ideal would be to dedicate time to establishing personal relationships with the members of the board of directors, realizing that this cannot be decreed, each company is specific. A fortiori, the staff and managers who compose them.