IDC PeerScape: CISO Best Security Practices — Influencing the Board
Many organizations have cybersecurity teams, perhaps even led by a chief information security officer (CISO). But there is often a disconnect between the risk management activities of the security team and the broader understanding of cyber-risk at board level. One symptom of this disconnect is that the CISO is rarely a genuine C-level executive, instead most often reporting to the CIO or other senior manager.There are many challenges in exerting an influence at board level, but IDC believes the first of these is that the security team and the CISO does not own — or is not seen to own — cyber-risk. But what does "owning cyber-risk" really mean?In many cases, this is a question of authority — most CISO do not have sufficient clout to own or influence a companywide risk. This may be because the individual concerned does not have the credibility and credentials to earn such authority, but most often, it is a lack of ability or focus in being prepared to educate the board in cyber-risk.There is also a major difference in owning risk and security strategy at board level, and owning the assessment, execution, and risk mitigation approaches at an operational level. Many CISOs get tripped up by this distinction.This IDC PeerScape examines three best practices for establishing influence on security strategy at board level. It is aimed at CISOs and senior security leaders that sometimes struggle with board-level communications and messaging, and it provides examples and insights from leading practitioners."Many CISOs struggle with gaining and maintaining influence in the boardroom," said Duncan Brown, Group Vice President, IDC EMEA. "First, CISOs need to understand what their boards need of them in terms of strategy input and execution. CISOs sometimes want to have all the control, but they lack the influence and executive presence needed in the boardroom. Second, boardroom influence is heavily reliant on effective communication, so knowing what to say and how to say it is critical. Third, measure what matters to the board — everything else is extraneous detail."
Please Note: Extended description available upon request.
IDC PeerScape Figure
Executive Summary
Peer Insights
Practice 1: The Board Owns the Issue, the CISO Owns the Answer
Challenge
Example
Guidance
Practice 2: Communicate Like a Pro
Challenge
Example
Guidance
Practice 3: Choose Metrics That Matter to the Board