FeatureThe CISO role has been significantly augmented over the last 18 months. Rallying the board to the security cause is a must. To achieve that, the CISO has to translate cyber threats into business impacts. This means being able to factor what used to be network and security indicators into business KPI’s that are in line with the global company strategy.
For example, if the company strategy is to replace local agencies by mobile applications, which is a typical banking industry objective, then the Indicators of Compromise, whetherunpatched stations, presence of rogue applications or simple passwords, need to be translated into business risks. And the CISO needs to be at the forefront of this translation and communication mechanism that makes the board aware of business vulnerabilities, not technical vulnerabilities.
The latter calls for a new expertise, including knowing what security strategies are adequate to support what type of business. They are not necessary fully compatible and the board need to be aware of its options. Until recently, the CISO was most of the time the one who stopped, or at best delayed, the deployment of innovative projects because one needed to evaluate the security impact of such things as collaboration, cloud-based applications, or mobility.
Today these trends are so pressing that instead of stopping them, the CISO needs to provide documented evidence. In this new role, the CISO creates the condition for informed board decision to be taken. It’s not we can’t have this but we have three options to do this, each one has its own risks, roadmap, and benefits.
