The Key- Linking Security Metrics to Business Objectives
- The CEO is looking to the CISO and the CISO’s organization to adequately assess the risk and prioritize it.
- Rather than reporting on the ROI for one piece of equipment, it’s best to present the board with information showing how the investment has affected the business’ overall security posture over time.
“Many technical CISOs are unable to quantify the impact of a risk to the business.”
“The first thing the chief executive officer (CEO) or board wants is to be aware that a risk exists,” says Vikas Bhatia. The CEO is looking at the chief information security officer (CISO) and his or her organization to adequately assess the risk and prioritize it. The CEO needs to know how important the risk is. “Many technical CISOs are unable to quantify the impact of a risk to the business,” says Bhatia, “and this is often the source of confusion around appropriate security strategy.”