Are you reporting your poor cyber-security posture to the board? 🏢
Why not?
As a director or c-suite exec, you are obligated to ask about and identify risks to the company/organisation. How big is your risk appetite?
Forbes recently posted “10 Strategies CISOs can use to improve Board Cyber Risk Reports” (link in comments) which is a great snapshot of just a few important actions you should be taking *today* – not just as a CISO, but as any board member or executive.
My top 3 picks from their article:
1. “Resist the temptation to filter the bad news” 📰
Don’t lie to the board, don’t fudge your numbers, don’t report mistruths. The board is there to assist you, prioritise and strategise; be transparent and honest.
2. “Avoid vain metrics” 🔢
Number of incidents raised/resolved on its own is nothing but show-boating. Identify percentage of incidents by business systems or processes and you’re beginning to provide extra value.
3. “Clearly and concisely explain critical risks outside of appetite” ⚠️
“How big is your risk appetite”? If your organisation has identified a risk that has a high likelihood and impact, it’s a critical risk that must be mitigated. Don’t sweep it under the carpet.
Forbes Article: 10 Strategies Chief Information Security Officers can use to Improve Board Cyber Risk Reports