Blog

CISOs and Their Boards are Failing to Communicate — with Disastrous Results for Enterprise Security

Posted by: Michael Greenberg
July 06, 2022
CISOs and Their Boards are Failing to Communicate -- with Disastrous Results for Enterprise Security

Why changing your reporting approach is the key to connecting with your board and protecting your most critical assets.

Today’s CISOs understand that cyber-risk has never been greater. 

Yet communicating that risk to the board — and contextualizing it within the specifics circumstances of their company — has never been more difficult.

The truth is that board reporting methods remain stuck in the past, mired in a framework that doesn’t clearly convey what is at stake or properly consider critical asset risk.

Let’s take a closer look at these problems — and review how a fresh approach to reporting strategy can help bridge the perpetual disconnect between CISOs and their boards.

Where the Traditional Reporting Approach Fails

Many CISOs are too far out of the reporting loop. A 2021 Ponemon Institute study showed only 7% of CISOs report directly to their CEOs. Meanwhile, only roughly 60% of CISOs “regularly brief” their board of directors.

Yet even when CISOs are positioned closer in the process, reporting is often deeply inadequate. One flawed approach is the recitation of conventional security figures: Listing how many vulnerabilities, incidents, patches etc. exist and how those numbers change over time.

Lengthy discourses about security team actions, based on conventional metrics, offer no real insight and create white noise, obscuring the real heart of the matter: Are our most important assets safe?

The Right Way to Approach Board Reporting

To understand whether critical assets are safe, you need visibility into how things change over time, and how those changes affect risk.

Modeling to predict the likelihood of an attack is one way to do this. This approach provides a consistent predictive model that cuts through the noise of what can be bypassed, and what cannot, and contextualizes this information within the framework of critical assets.

Boards need to understand the likelihood of compromise and the impact that could occur to business-critical assets. These risks should be contextualized to each part of the business. For example, risks to ERP services, business services, cloud environments, customer databases etc.

Boards need visibility into business insights and real-world ramifications. They need to understand the efforts being made to reduce risk and how these efforts are paying off.

Most importantly, they need answers to the key questions:

  • What can be compromised today?
  • What is the likelihood of that happening?
  • What is the aggregate impact?
  • What is the level of operational risk?

How XM Cyber Supports Better Board Reporting

XM Cyber helps organizations understand how attackers can compromise their critical assets across any environment – on premises or in the cloud.

Our technology uses sophisticated attack modeling to map all possible attack paths an attacker could take due to misconfigurations, vulnerabilities, overly permissive identities etc. to compromise business-critical assets. XM Cyber then quantifies the risk to your critical assets and shows which techniques can be used to get to them, focusing remediation efforts.

XM Cyber’s attack path management platform provides the tools you need deliver a straightforward and quantifiable presentation of risk and ROI to your board.

  • XM Cyber’s adversarial risk reporting for boards allows you to slice through the white noise associated with reporting conventional metrics. Instead, they can focus on the crux of the matter: Are our critical assets safe?
  • XM Cyber also provides the tools to show how changes over time directly impact risk and contextualizes those risks to each part of the business.
  • We enable you to deliver a powerful demonstration of how cost-efficient cybersecurity initiatives can be aligned with business needs.

The Takeaway

The persistent disconnect between CISOs and their boards can be healed by elevating CISOs in the reporting structure and changing their reporting approach.

XM Cyber plays a key role by showing what percentage of critical assets are at risk at any given time, what needs to be remediated first to lower risk and whether organizational security investments are paying off.

By answering core questions like these, we can vastly improve reporting — and keep critical assets away from attackers.


Michael Greenberg

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.