CISOs, Do You Speak Business Risk? You Better
By Patricia Titus, Vice President and Chief Information Security Officer
This blog was originally posted in Information Unleashed: The Official Voice of Symantec
Security leaders have come a long way, from backroom IT gurus to earning a seat at the executive table. Today, boardroom discussions increasingly focus on security threats and risk management and CISOs are being asked by the CEO “How secure is our online e-commerce site?” or “Are we at risk of being attacked by hackers?”
As a security leader, your answer to these questions can determine whether you get the resources and support needed to manage the risks to your organization. Therefore, the ability to answer these kinds of questions in a way that resonates with business executives is critical.
To do this, you cannot rely on the technical dashboards of IT GRC solutions past. While these dashboards allow you to respond to security incidents and meet compliance requirements, they do not foster effective communication with business executives – which is where risk management discussions and decisions are being made. To business peers, IT risk has always looked like a mass of technical data coming from different servers, applications, databases and virtual machines. It’s daunting, disorganized and hard to decipher. What business execs need to see are risks tied back to theirpiece of the business.
At Symantec, we recognize that prioritizing risks by business priorities is a big shift in mindset. The good news is that 38% of your peers say they are already doing it, while an additional 49% at least believe they should be prioritizing the most critical risks by impact to key business priorities. However, to effectively manage business risks requires that you also be able to speak in business-centric terms. Herein lays the challenge – today’s IT GRC solutions don’t do that.
What you need is a way to take the huge amounts of data you’re managing across the infrastructure and translate it in a way that puts everyone on the same page. When your CEO asks about the security of you e-commerce site, you can easily respond that the acceptable risk threshold is a two, right now your risk level is at a five and by taking actions X and Y immediately, you can align with your desired risk threshold and reduce risk to the business.
That’s what we’ve been working on here at Symantec, a better way to communicate IT risk in business terms. Symantec is helping CISOs deliver a view of IT risk that is relevant to their business peers’ piece of the business. View this video to learn more about how the CISOs role has evolved now that you’re seated at the executive table.