CISO and CEOs still face a communication barrier, making it difficult for senior executives to understand what cyber risks - and cybersecurity - mean for their companies, the CEO and president of Qualys said in London last week.
“To be able to decide on how much you spend on cybersecurity, you need to be able to articulate what is the potential of loss that comes from cybersecurity,” Sumedh Thakar, told the audience at the vendor’s user conference.
See also: CISOs, unis, investors turn to richer metrics as security training evolves
Thakar said in his keynote that CISOs and board members often speak different languages to one another, exacerbating the divide between business and security.
The communication gap stems from a fundamental difference in their roles and priorities. Many CISOs have come from a strong technical background, often focusing on specific security controls and tools. CEOs, and their fellow board members, are naturally concerned with driving business growth and profitability.
Thakar said the lack of communication can cause issues in understanding the security posture of the company and the budget needed to secure it.
Qualys’ chief risk technology officer Richard Seiersen, echoed this sentiment in a conversation with The Stack. He pointed out that the CISO role is ever-evolving and increasingly needs to move beyond a purely technical focus.
To bridge the gap between the CISOs and CEOs, Seiersen suggested security leaders think like a CEO.
See also: Shell appoints former CISO as new Group CIO
“You need to be able to articulate how you are being both economically and operationally efficient in what you're doing, to support the business in meeting its objectives.” said Seiersen, “You're reducing the likelihood of plausible future loss. That could impact the business objective. You should be able to articulate why that is.”
In his keynote, Thakar described how all parties need an understanding of cyber risk and to keep up to date as the cyber threat landscape changes.
CISOs should communicate clearly with CEOs to demonstrate the return on investment of cybersecurity initiatives and should actively collaborate with CEOs in strategic decision-making processes, he said. This will ensure that security considerations are integrated throughout the organisation, from product development through to supply chain management.
CISOs must translate technical risks into business impact for CEOs. Collaborative decision-making with CISOs at the table, will ensure security is embedded throughout the organisation, said Thakar. By prioritising clear communication and collaboration, organisations can empower CISOs and build a united front against cyber threats.
