- There is a huge gap between the views of senior executives/boards of directors and CISOs when it comes to managing cyber risks
- To bridge that divide, CISOs need to speak the language of business risk, while executives must remove the blinders that keep them from seeing the depth of the problem.
A couple of recent studies that came to light underscore the very large disconnect between boards of directors/CEOs and the CISO when it comes to managing cyber risks. In the “Governance of Enterprise Security: CyLab 2012 Report,” conducted by Carnegie Mellon CyLab for RSA, some very disturbing findings came to light from the energy/utilities sector. That study, scrutinized whether boards and CEOs were carrying out fundamental cyber governance tasks and discovered that 71% of those boards rarely or never reviewed privacy and security budgets, 79% rarely/never reviewed roles and responsibilities, 64% rarely/never reviewed top-level policies and 57% rarely/never reviewed security program assessments. This, in a highly regulated and essential industry. Continue reading “Time to Bridge the Security Divide That Separates CISOs and Directors/CEOs”