More than ever before, CISOs need to be able to effectively communicate the value of their teams’ efforts across the entire organization, as well as upstream to the C-suite and Board of Directors, by speaking in a language the rest of the organization can understand. This is the case not only in commercial organizations, but also the private sector
A recent study examined the disconnect between an organization’s commitments to risk-based security management and its ability to develop the collaboration, communication styles and culture necessary for effective security programs across the organization.
Key findings from the survey include:
- 64 percent said they don’t communicate security risk with senior executives or only communicate when a serious security risk is revealed.
- 47 percent said that collaboration between security risk management and business is poor, nonexistent or adversarial. 51 percent rated their communication of relevant security risks to executives as “not effective.”
In this video, security experts discuss the challenges involved in establishing clear means of communicating risks to the business stakeholders in order to more effectively achieve and maintain a viable security posture.
Included in the discussion are:
- Prescott Winter, Managing Director of the Chertoff Group
- Mark Weatherford, Principal at the Chertoff Group
- Keren Cummins, Tripwire’s Director of Federal Solutions
This video also poses a question as to who is responsible for communicating this risk properly — is it the responsibility of the security team, or that of the business executives? Effectively communicating risk to the executive level is critical in these day of breaches and class action lawsuits, primarily because when lawyers talk about ‘due care,’ it is often in the context of liability for negligence claims.
For more insights on the subject of how security plays a vital role in creating a standard of due care and a platform to have better risk-based security management conversations, check out the following resources:
- The Role of Security in Creating a Standard of Due Care
- Communicating Risk More Effectively
- SANS Twenty Critical Controls as an Information Security Standard of Care
- CISOs and the SEC: Scrutiny Ahead
- Using the Top 20 Critical Security Controls to Get your CFO’s Attention
Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
* Show how security activities are enabling the business
* Balance security risk with business needs
* Continuously improve your extended enterprise security posture
Tripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.
The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.
Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.
Title image courtesy of ShutterStock