Modern field guide to security and privacy

History is repeating itself (in a good way)

Much like CFOs before them, CISOs are now becoming boardroom mainstays.

Matt Orlando/The Christian Science Monitor

Before Sarbanes Oxley passed in 2002, having a director that was a financial expert in the American corporate boardroom was not the norm. In fact, CFOs who were originally thought of as financial gatekeepers are more than ever before held accountable for the integrity, accuracy and traceability of the financial information presented to the board. Today, we all know that financial risk is managed across the entire business. 

We are now seeing that same transformation in cybersecurity.

With the increase in industry regulations coupled with a fluid stream of high profile data breaches, CISOs are becoming boardroom mainstays, expected to present traceable, understandable and accurate cybersecurity risk information to enterprise leaders.

While the transformation spreads the gamut of industries, it has become front and center among financial companies, where new regulations and guidelines have come to surface, such as the newly revised New York State cybersecurity requirements and Group of Seven (G7) cybersecurity guidelines, in addition to the string of cyberattacks against banks such as the Bangladesh Bank, Ecuadorian and Ukrainian banks, and Russian Central Bank. 

Financial companies are feeling the pressure to make cybersecurity a top business priority that’s on the same level, if not higher, than other operational risks.

While boards want to hear from the CISOs on a regular basis, they don’t want to hear about the latest firewall purchase or the number of vulnerabilities that were patched. They want to learn about the company’s cybersecurity program in a language they understand – risk – and how cybersecurity risk maps to dollars and cents. 

Measuring the financial impact of cybersecurity risk and prioritizing remediation efforts so that the most impactful security exposures are tackled first should be top of mind for CISOs.

This requires knowledge of where their most valuable assets live and capabilities to decipher real threats and associated vulnerabilities vs. noise. The concept of accurately attaching a potential financial loss amount to applications at risk is not an easy one, but it is a critical success factor for the 2017 CISO. 

If CISOs in the financial industry want to swim ahead of the changing tide, they need to speak the board’s language. They need to understand where their most valued assets exist, threats and vulnerabilities to those assets and then map the financial impact at stake. Their assessment will need to be based on actual conditions detected in their environment and actions prioritized based on remediating threats and vulnerabilities that reduce the value at risk the most.

Not only does this approach enable enterprises to direct their limited resources at their biggest problems, but also arms them with actual financial impact metrics to present to the board. They can show the potential loss they saved the company by taking certain actions, and can assist board members in making effective investment and budget allocation decisions based on the most impactful cybersecurity risks. 

Board members are increasingly relying on CISOs to present cybersecurity risk information in the language of risk, mapped to the company’s business imperatives and to the board’s risk tolerance. At this time next year, CISOs being boardroom mainstays will be far from novel.


RSA®  Conference, happening Feb. 13 - 17 in San Francisco, drives the information security agenda worldwide. It has consistently attracted the best and brightest in the field and created invaluable opportunities for first-hand interactions with peers, luminaries, and emerging and established companies. Use promo code 5U7CSMPFD for $100 off admission for Passcode readers. Register here

of stories this month > Get unlimited stories
You've read  of 5 free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.