This gives them confidence that you
are working within a recognised
structure and have a solid grasp of
what the trend looks like
• Proactively control the narrative so
as not to be seen exclusively as the
bearer of bad news. Look for a ‘front
page of the news’ win to highlight,
like a NotPetya or a WannaCry type
of global event. Explain how the risk
was relevant to your business and
what your team did to mitigate risk
• Provide overall metrics on trends.
There is nothing more relevant than
using your data to frame a high-level
discussion about what incidents
looked like during the reporting
period. Specific metrics might
include: if incidents are trending
up or down and the cause; how
many incidents you are dealing with
and how long it takes to identify an
intrusion and remediate and recover.
Again, remember to stay away from
acronyms and jargon
• Report on the top three risks on
which you are focusing. Control
the narrative and relate these to
the business so that your board will
understand that you are more than
just a cISO. Some examples that
could be germane to your business:
1. The sales and marketing
department is migrating from an
on-premises customer relationship
management system to a software-
as-a-service equivalent and you
are working on managing the risks
associated with the migration
2. Planned merger and acquisition
activity requires that you focus
on preventing the financial details
from getting into the hands of a
competitor or threat actor
3. The business is launching a new
product that will account for 30%
of net new revenue in the following
year and you need to protect your
intellectual property
74
At a future board meeting, close the loop
and report back on how the security
and risk organisation helped enable the
success of strategic business activities
you are involved in protecting.
What do I think are the issues that
CISOs need to be on top of right now?
Here’s my top five:
• GDPR. Much has been said about
this already but CISOs should be
very wary of thinking they have
met the end of May deadline and
awarding themselves a slap on the
back. The hard work starts now.
Firms may think they are compliant
but, in truth, GDPR is so far-reaching
that many will not be. The ICO could
be waiting on a test case to levy the
€20 million/4% of global turnover fine
– don’t let it be you
• Recruiting and retaining staff.
I think the ‘cybersecurity talent
shortage’ is a self-fulfilling prophecy
– go and find the talent and nurture
it if necessary. UK universities are
awash with cybersecurity talent and
Issue 06
|
www.intelligentciso.com