Solution: Speak the Language of Risk
Boards understand risk; security executives also must understand it.
Security executives are no longer viewed as the “techies” who only manage cyber-security technology.

They increasingly are viewed as risk professionals in the same light as other operational risk leaders (i.e., legal, financial, etc.).

Due to this shift, security executives must change their approach.
Instead of reporting about patches, misconfigurations and other technology-focused information, they should report about threats, associated vulnerabilities pertaining to their most-valued assets and the probability of those two meeting, then apply security resources accordingly.

That’s the language the board understands.

Leave a Reply