FEATURE
However, many cyber leaders have spent so long trying to be heard that they’ re still talking about security the same way they did a decade ago.
Risk isn’ t the headline; cost and revenue are
While a growing number of business leaders now understand that cyber-risks exist and believe that they need to be addressed, it’ s important to remember that the board likely doesn’ t care about risk in the same way security professionals do.
Risk is on the agenda, but it’ s still usually sitting somewhere in the middle. Revenue and cost will always be taking first and second place, and cyber-risk is probably down at number eight of the top 10. It’ s in the running, but it’ s unlikely to be keeping anyone else up at night.
Yet so many CISOs still walk into board meetings armed with risk registers, audit frameworks and traffic-light dashboards. Again, these are the same tools we used 10 years ago in a bid for attention.
Instead of entering a meeting with the goal of moving cyber up from number eight to the top of the list, the goal should be to frame how it’ s relevant to the things that are already heading the agenda.
Cyber heads are well aware that security is deeply tied to revenue and cost, but they need to make sure this is properly conveyed to the rest of the board. That means translating every discussion about exposure or resilience into a conversation about cost avoidance and revenue protection.
Gartner’ s own data backs this up. When CEOs are asked what they truly prioritise, 53 % cite growth and revenue, and 41 % cite cost control. Only 35 % put risk or resilience near the top. The message is clear: if we want their attention, we have to speak their language. www. intelligentcxo. com
25