Speaking Board as a second language.
What we have is a failure to communicate.
By Tim Nodar, CyberWire senior staff writer
Oct 10, 2023

A look at CISOs and their role in risk management.

Speaking Board as a second language.

Splunk has published a report looking at how Chief Information Security Officers (CISOs) are dealing with threats.

Organizations and their willingness to pay ransom.

Among other things, Splunk found that 96% of the CISOs surveyed said their organizations sustained a ransomware attack in the past year. 83% of these respondents said they paid the ransom: “The most significant number paid somewhere between $25,000 to $99,000 (44%), while more than half of respondents paid more than $100,000, a stunning 9% of respondents (or one in 11) paid $1 million or more.”

The researchers add, “Of those who paid, 18% paid the ransom directly, 37% paid through cyber insurance and 28% paid through a third party.”

CISOs and boards still sometimes talk past one another.

One of the challenges CISOs face in dealing with their boards remains linguistic, or at least rhetorical. We asked Splunk about the difficulties in communication, and Ryan Kovar, Distinguished Security Strategist and Leader of SURGe at Splunk offered some thoughts:

“CISOs live and breathe cybersecurity. They are technical in nature and their priority lies in the security of their company. The board, on the other hand, is primarily focused on shareholders and how the business is doing overall – which is backed by KPIs and numbers. There is an inherent difference in priorities, but with CISOs reporting to the boards at greater frequency, coupled with the rise in cyberattacks and recent policy regulations like the SEC rulings, the two groups must speak a similar language to maximize the effect of the relationship.

In order to communicate better with the board, CISOs need to be able to frame cybersecurity issues as it relates to the bigger business. For example, if your company is impacted by a data breach, or you’re the victim of a ransomware attack, that will have an impact on how the business operates and potentially cut into revenue and profits. CISOs should look at aligning their metrics of success to board outcomes rather than reporting on technobabble facts like EDR false positive reduction. Instead, describe how the cyber security team has reduced risk and increased resilience across the organization. Being data driven is already in a CISOs background, but being able to tell a story behind the numbers is critical.”