{"id":3667,"date":"2024-05-20T17:08:04","date_gmt":"2024-05-20T22:08:04","guid":{"rendered":"https:\/\/www.darkreading.com\/cyber-risk\/transforming-cisos-into-storytellers"},"modified":"2024-05-20T17:08:04","modified_gmt":"2024-05-20T22:08:04","slug":"transforming-cisos-into-storytellers","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/20\/transforming-cisos-into-storytellers\/","title":{"rendered":"Transforming CISOs into Storytellers"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

In an era when chief information security officers (CISOs) can potentially <\/span>face fraud charges<\/a><\/span> following a security incident, it’s more important than ever that they develop good relationships with C-suite executives and corporate boards. Strong relationships with CEOs, CFOs, or board members can help CISOs make a stronger case for cybersecurity efforts within their organization, potentially insulating them from taking the fall when things go wrong.<\/span><\/p>\n

With new US Securities and Exchange Commission (SEC) <\/span>rules on reporting material breaches<\/a><\/span>, conversations about cybersecurity at the board and C-suite levels have changed in the past year, says Jason Lee, CISO at cybersecurity and data analysis vendor Splunk. The company\u2019s <\/span>The CISO Report<\/a><\/span> found that more than 90 percent of CISOs are now regularly attending board meetings.<\/span><\/p>\n

Board members, CEOs, and other executives are also more interested in hearing about an organization’s holistic security program than simply checking compliance boxes. They are focusing on things such as the return on investment (ROI) of cybersecurity purchases and the level of cyber insurance their enterprise needs, Lee adds.<\/span><\/p>\n

This new era of regular CISO interaction with CEOs, CFOs, and boards requires a new skill set, says Lance Sullivan, CISO of Magellan Health. Instead of a laser focus on the technologies and practices that enable strong cybersecurity, the CISO now also needs to have the soft skills necessary to explain the organization’s security needs to people with limited technical expertise.<\/span><\/p>\n

“The tools in the toolbox change for CISOs,” he says. “Not only do you have to be a good storyteller, but you have to be able to communicate to different audiences. And you still have to talk technically with your IT counterparts.”<\/span><\/p>\n

The Story-telling CISO<\/h2>\n

Conversations with board members are turning away from compliance and focusing instead on resiliency and the impact of cyber threats, as board members and C-suite executives seem more focused on risk than they have in the past, Sullivan says.<\/span><\/p>\n

The CISO as a storyteller is important because the same old slideshows illustrating the latest data breaches in the news may not hold the interest of CEOs or board members, Lee adds. Board members are increasingly asking about the relevance of this news to their organization, and CISOs must be ready to clearly explain complex topics, like how a breach at a company that has a business relationship with a vendor may create a huge risk.<\/span><\/p>\n

“Being able to show those business contexts like the ROI of security investments is a huge thing that we need to focus on, and CISOs don’t normally spend a lot of time on presenting and trying to be on that storytelling side,” Lee says. “That soft skill side is one area that we’ve got to continue to invest in.”<\/span><\/p>\n

With the new SEC rules, boards need to be actively involved with CISOs following a breach, Lee says, adding that the two groups should engage in discussions involving whether the breach was material and what information should go in the 8-K and 10-K reports to the SEC. Boards should also increasingly interact with CISOs about the decisions being made following a breach.<\/span><\/p>\n

“The board is going to want to know, ‘How did you determine materiality on this?'” Lee says. “‘Are you going to be sharing this with investors?'” He adds that, while the SEC rules put CISOs in the legal crosshairs, the new regulations are also driving better communication between board members and CISOs.<\/span><\/p>\n

Forming a Direct Connection<\/h2>\n

In the past couple of years, many corporate boards have formed cybersecurity committees to develop expertise among a subset of board members. These committees give CISOs more face time with board members. Instead of 15 minutes with the audit committee every quarter, a CISO might now spend 90 minutes with the cybersecurity committee.<\/span><\/p>\n

“By having board members who are dedicated, and then having a specific session every quarter on cybersecurity, you’re starting to see more cyber experience of [board] experts and just more depth than a couple of years ago,” Lee says.<\/span><\/p>\n

While direct access to board members can be beneficial to CISOs, Lee says it can be equally as helpful for them to have a good relationship with the CEO, CIO, or another executive who will also make the case for cybersecurity with the board. The CISO’s ability to do the job well depends on full buy-in from the board and top executives, and cybersecurity advocacy can come from multiple voices.<\/span><\/p>\n

The good news for CISOs is that organizations are elevating the position within their corporate structures. Splunk’s CISO report found 47% of surveyed CISOs saying they report directly to their CEOs, instead of through layers of management \u2014 Lee had originally expected the percentage to be lower. The report found 40% of CISOs reporting to CIOs, a more traditional approach \u2014 with another 5% reporting to CFOs, and 4% reporting to COOs.<\/span><\/p>\n

The level of communication between CISOs and boards correlates to the level of cybersecurity maturity at an organization, Sullivan says. “A direct connection with a CISO can mean a lot of different things, involving a lot of different people,” he says.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

In an era when chief information security officers (CISOs) can<\/p>\n","protected":false},"author":12,"featured_media":3668,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-3667","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?fit=1800%2C1012&ssl=1",1800,1012,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?fit=1800%2C1012&ssl=1",1800,1012,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/transforming-cisos-into-storytellers.jpg?fit=1800%2C1012&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3667","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3667"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3667\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/3668"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3667"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3667"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3667"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}