Intelligent CISO Issue 40 - Page 19

cyber trends
and build personal relationships with them , because if you can show how your cybersecurity strategy is necessary to enable their personal projects and priorities , they will support you in every step .
2 . Create metrics and stories that link back to the business . It ’ s much more impactful if you can really make security seem intrinsic to the business success – make sure you link cybersecurity messages and stories to strategic business imperatives , industry trends and local objectives so the board can see that this is not just an IT problem , it ’ s a business one too .
3 . Be pragmatic . As a CISO , you have to convey the risk to the board and ensure they understand the different choices , but respect that they have wider considerations . You must give them the information and your recommendations but let them make the best business choice – then it ’ s your job to implement it , whatever they decided . expectations were excessive , compared to 57 % globally .
It ’ s a worrying situation and we ’ ve discussed things like CISO burnout and the number of people only staying in roles for up to 24 months before moving on . Overall , across the globe , 25 % of CISOs said they felt strongly supported by the board and in the Middle East 31 % felt that the board really had their back .
That ’ s better than the global average but still not ideal as you really want the board and the CISO to be working in synergy , understanding the risks , prioritising and being able to move forward together .
To address this , there are several things that CISOs should look to do :
1 . Make personal time . Don ’ t allow anybody else to deliver your security message to the board , make sure you own the message . Look for ways to speak to those board members outside of the boardroom to try
I think most CISOs could actually bankrupt their organisation by trying to make it as secure as possible , but that ’ s not practical – we have to embrace some level of risk and we have to trust business leaders to make the right decisions based on the information we provide them with .
Your research revealed that a majority of CISOs still consider human error to be their organisation ’ s biggest cyber vulnerability – What are the risks and how can these be mitigated ?
So often , when reading about peoplecentric security , you ’ ll see references to people being ‘ a first line of defence ’ or ‘ a last line of defence ’ or a ‘ weakest link ’ and I think all of those are a little unfair .
Instead , we need to consider people as our ‘ primary attack surface ’. Staff are under constant attack and data from the recent Verizon Data Breach Study highlighted that 85 % of successful attacks had a human element , so the human aspect is vital .
The Middle East understands this – 70 % of CISOs believe that users are one of www . intelligentciso . com
19