web analytics

Transforming CISOs Into Storytellers – Source: www.darkreading.com

transforming-cisos-into-storytellers-–-source:-wwwdarkreading.com
Rate this post

Source: www.darkreading.com – Author: Grant Gross, Contributing Writer

Source: Panther Media GmbH via Alamy Stock Photo

In an era when chief information security officers (CISOs) can potentially face fraud charges following a security incident, it’s more important than ever that they develop good relationships with C-suite executives and corporate boards. Strong relationships with CEOs, chief financial officers (CFOs), and board members can help CISOs make a stronger case for cybersecurity efforts within their organizations, potentially insulating them from taking the fall when things go wrong.

With new US Securities and Exchange Commission (SEC) rules on reporting material breaches, conversations about cybersecurity at the board and C-suite levels have changed in the past year, says Jason Lee, CISO at cybersecurity and data analysis vendor Splunk. The company’s “The CISO Report” found that more than 90% of CISOs are now regularly attending board meetings.

Board members, CEOs, and other executives are also more interested in hearing about an organization’s holistic security program than simply checking compliance boxes. Their focus includes the return on investment (ROI) of cybersecurity purchases and the level of cyber insurance their enterprise needs, Lee adds.

This new era of regular interaction requires a new skill set, says Lane Sullivan, CISO of Magellan Health. Instead of a laser focus on the technologies and practices that enable strong cybersecurity, the CISO also needs to have the soft skills necessary to explain the organization’s security needs to people with limited technical expertise.

“The tools in the toolbox change for CISOs,” Sullivan says. “Not only do you have to be a good storyteller, but you have to be able to communicate to different audiences. And you still have to talk technically with your IT counterparts.”

The Storytelling CISO

Conversations with the board are turning away from compliance and focusing instead on resiliency and the impact of cyber threats, as board members and C-suite executives seem more focused on risk than they have in the past, Sullivan says.

The CISO as a storyteller is important because the same old slideshows illustrating the latest data breaches in the news may not hold their colleagues’ interest, Lee adds. Board members are increasingly asking about the relevance of this news to their organizations, and CISOs must be ready to clearly explain complex topics, such as how a breach at a company that has a business relationship with a vendor may create a huge risk.

“Being able to show those business contexts, like the ROI of security investments, is a huge thing that we need to focus on, and CISOs don’t normally spend a lot of time on presenting and trying to be on that storytelling side,” Lee says. “That soft skill side is one area that we’ve got to continue to invest in.”

With the new SEC rules, boards need to be actively involved with CISOs following a breach, Lee says, adding that the two groups should engage in discussions involving whether the breach was material and what information should go in the 8-K and 10-K reports to the SEC. Boards should also increasingly interact with CISOs about the decisions being made following a breach.

“The board is going to want to know, ‘How did you determine materiality on this?'” Lee says. “‘Are you going to be sharing this with investors?'”

While the SEC rules put CISOs in the legal crosshairs, the new regulations are also driving better communication between board members and CISOs, Lee adds.

Forming a Direct Connection

In the past couple of years, many corporate boards have formed cybersecurity committees to develop expertise among a subset of board members. These committees give CISOs more face time with board members. Instead of 15 minutes with the audit committee every quarter, a CISO might now spend 90 minutes with the cybersecurity committee.

“By having board members who are dedicated, and then having a specific session every quarter on cybersecurity, you’re starting to see more cyber experience of [board] experts and just more depth than a couple of years ago,” Lee says.

While direct access to board members can be beneficial to CISOs, Lee says it can be equally as helpful for them to have a good relationship with the CEO, chief information officers (CIOs), or another executive who will also make the case for cybersecurity with the board. The CISO’s ability to do the job well depends on full buy-in from the board and top executives, and cybersecurity advocacy can come from multiple voices.

The good news for CISOs is that organizations are elevating the position within their corporate structures. Splunk’s report found 47% of surveyed CISOs report directly to their CEOs, instead of through layers of management; Lee says he had originally expected the percentage to be lower. The report found 40% of CISOs reporting to CIOs — a more traditional approach — with another 5% reporting to CFOs and 4% reporting to chief operating officers.

The level of communication between CISOs and boards correlates to the level of cybersecurity maturity at an organization, Sullivan says.

“A direct connection with a CISO can mean a lot of different things, involving a lot of different people,” Sullivan says.

Original Post URL: https://www.darkreading.com/cyber-risk/transforming-cisos-into-storytellers

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Nathalie Cole
How Much 10 Companies Paid Their Virtual CISO Service in 2022 Benchmark by Nathaniel Cole
How Much 10 Companies Paid...
Tushar Subhra Dutta
Top 10 Cyber Attack Maps to See Digital Threats 2022 by Tushar Subhra Dutta – Cyber Security News.
Top 10 Cyber Attack Maps...
Microsoft
Microsoft Zero Trust Maturity Model
Microsoft Zero Trust Maturity Model
US Deparment of Defense
DevSecOps Fundamentals Guidebook – Tools & Activities by American Deparment of Defense
DevSecOps Fundamentals Guidebook – Tools...
Microsoft
Microsoft 365 and the NIST Cybersecurity Framework
Microsoft 365 and the NIST...
ACSC Australia
Cyber Incident Response Plan Template by ACSC & Australian Goverment
Cyber Incident Response Plan Template...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN...
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture
DevSecOps Guide
ATTACKING PHP APPLICATIONS
ATTACKING PHP APPLICATIONS
DevSecOps Guide
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
ATTACKING KUBERNETES WITH SECURITY BEST...
CLTC WHITE PAPER SERIES
Guidance for the Development of AI Risk and Impact Assessments
Guidance for the Development of...
Active Directory
Active Directory IT AuditChecklist
Active Directory IT AuditChecklist
A guide to business continuity planning
A guide to business continuity...
LOG RHYTHM
Using MITRE ATT&CK™ in Threat Huntingand Detection
Using MITRE ATT&CK™ in Threat...
Kaspersky
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
H2 2023 – A brief...
Andrey Prozorov
24 Great Cybersecurity Frameworks
24 Great Cybersecurity Frameworks
ENISA-EUROPA
SEGURIDAD DE TELECOMUNICACIONES
SEGURIDAD DE TELECOMUNICACIONES

More Latest Published Posts

SF-ISAC
Digital Operational Resilience Act
Digital Operational Resilience Act
SYNGRESS
DIGITAL FORENSICS WITH Open Source TOOLS
DIGITAL FORENSICS WITH Open Source TOOLS
IT REVOLUTION DEVOPS ENTERPRISE FORUM
DevOps Automated Governance Reference Architecture
DevOps Automated Governance Reference Architecture
SANS GIAC CERTIFICATIONS
Detecting Attacks on Web Applications from Log Files
Detecting Attacks on Web Applications from Log Files
EUROPEAN DATA PROTECTION SUPERVISOR
ANNUAL REPORT 2023
ANNUAL REPORT 2023
TechTarget
IT Disaster Recovery Plan Template
IT Disaster Recovery Plan Template
Opstune
IOC Scan Framework v2.0
IOC Scan Framework v2.0
Federal Office for Information Security
Indirect Prompt Injections
Indirect Prompt Injections
the Department of the Environment Climate and Communications
Guidelines on CyberSecurity Specifications
Guidelines on CyberSecurity Specifications
Edelman
INCIDENT RESPONSE REFERENCE GUIDE
INCIDENT RESPONSE REFERENCE GUIDE
Security METRICS
Security Metrics Guide to PCI DSS Compliance
Security Metrics Guide to PCI DSS Compliance
SOC TIPS Cybersecurity
Guia de Resposta a Incidentes de Segurança para LGPD
Guia de Resposta a Incidentes de Segurança para LGPD
CDCP
FIREWALL Audit CHECKLIST
FIREWALL Audit CHECKLIST
GitGuardian
Secrets Management Maturity Model
Secrets Management Maturity Model
MegaCorp One
Sample Penetration Test Report
Sample Penetration Test Report
FORTINET
Routing in FortiGate
Routing in FortiGate
FUTURE OF PRIVACY FORUM
Risk Framework Body Related Data (PD) Immersive Tech
Risk Framework Body Related Data (PD) Immersive Tech
ENISA
Remote ID Proofing Good Practices
Remote ID Proofing Good Practices
Google
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Red Canary
Threat Detection Report 2024
Threat Detection Report 2024
HADESS
Pwning the Domain Persistence
Pwning the Domain Persistence
Australian Goverment
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
CISC (Comité Internacional Sobre Ciberseguridad)
Política Nacional de Ciberseguridad 2023-2028
Política Nacional de Ciberseguridad 2023-2028
Google
Perspectiveson Securityfor the Board
Perspectiveson Securityfor the Board
HADESS
OSINT Method for Map Investigations
OSINT Method for Map Investigations
CCN-CERT
Observatorio Riesgos Ciberseguridad 2024
Observatorio Riesgos Ciberseguridad 2024
CYBERTHEORY
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
FORTINET
Bloking Malware Through Antivirus Security Profile in FortiGate
Bloking Malware Through Antivirus Security Profile in FortiGate