TLDR:
Security leaders are feeling pressure from boards to downplay cyber risks, leading to a growing ‘credibility gap’. A report by Trend Micro found that 79% of IT leaders have felt pressure to understate cyber threats. Only half of respondents believe their C-suite understands the risks fully. To bridge the gap, CISOs should focus on expressing cyber risks in terms of business value.
Article Summary:
Senior cyber security professionals are facing pressure from boards to minimize the severity of cyber risks, creating a credibility gap between CISOs and boardrooms. A report by Trend Micro revealed that 79% of IT leaders have felt pressure to downplay cyber threats in their organizations.
Reasons for this pressure include CISOs being perceived as repetitive or negative by the board. Despite efforts to update boards on potential risks, a third of senior security personnel reported being dismissed by the board.
Furthermore, only half of respondents believe their C-suite fully comprehends the cyber risks facing the organization. To shift these attitudes, 80% of respondents believe that a serious breach is necessary for boards to take decisive action on cyber risks.
To address this issue, CISOs should focus on expressing cyber risks in terms of the business value that cyber resilience can deliver. When security leaders can measure the business value of their cyber security strategy, they are viewed with more credibility and given more responsibility within the organization.
Experts suggest that CISOs often fail to convey cyber risks effectively to boards by relying on technical jargon and statistics. Instead, they should frame cyber risks in the context of wider business risks to justify the level of investment required to enhance cyber resilience.
Ultimately, bridging the credibility gap between security leaders and boards is crucial for organizations to effectively address and mitigate cyber risks.