To Lead as a CISO, Explain the Business Impact of Security Risks
- Rather than presenting metrics that the CEO or board may not understand, a CISO should explain security trends of importance to the company.
- Visualizations such as infographics may aid in telling that story because they quickly capture executives’ attention.
“Ultimately, the goal of sharing metrics is to make sure there’s a follow-up discussion with the higher-ups to make an informed decision.”
If the chief executive officer (CEO) were to call Prasanna Ramakrishnan and nervously ask, “How secure are we?”, his first answer would be, “Depends.” It’s not a simple black-and white answer, he believes, and a chief information security officer (CISO) is best served by providing a cautious, nuanced approach to the CEO and the board rather than painting an overly rosy picture of security or risk management.