It’s no secret that there is a tenuous relationship between most chief information security officers (CISOs) and their executive suite and board. The CISO is caught between a rock (cause) and a hard place (effect).
CISO-led enterprise security programs are intended to protect against security breaches. Executives have a duty to protect a business from unacceptable impacts, but they are rarely (if ever) presented with quantifiable and data-driven security strategies and action plans that link control of specific security breach outcomes — and associated impacts — with specific budgets.
This exposes executives to external challengers — including investors, insurers, opposing legal counsel, regulators, and customers — regarding enterprise cyber-risk exposure. But these are not the only challengers. Internally, CISOs compete…