Thom Langford, CTO EMEA, Rapid7

Translating cyber-risk into business value

Part of our problem is that we’ ve become fluent in the wrong language. Cyber leaders talk risk confidently, residual versus inherent, threat surfaces, attack vectors, but that’ s not the language of the boardroom. It’ s like a foreign currency, until we provide the exchange rate into costs and revenue, it’ s all just numbers on a page.

What we need is an‘ abstraction layer’ between security metrics and business outcomes. The board doesn’ t need to know about vulnerabilities patched or frameworks achieved; they need to know what they got for their investment.

A report highlighting that patching processes were faster this quarter won’ t get much attention. Instead, that report needs to say how this reduced cost, how it enabled growth and how it helped keep the customers happy.

When we lead with outcomes, not operations, the conversation changes. We can still talk about risk, but we don’ t go to bat with it.

As the saying goes, the mountain isn’ t going to come to Muhammad. We have to meet the board where they are; in the world of EBITDA, not IDS.

Turning the board into a dialogue, not a download

One of the biggest shifts in any board interaction is realising that success isn’ t measured by how much you say, but by how many questions you get back. Gartner calls it the‘ golden ratio’: 45 % of your time presenting, 55 % in discussion. In other words, less show, more tell, less monologuing, more conversations.

When they ask,‘ How secure are we?’ or‘ How do you know?’, that’ s not a challenge to the CISO’ s authority or competency, that’ s the engagement they really want. It’ s where understanding actually starts.

Strong, collaborative governance is a great way of ensuring this happens. By having clear policies, defined risk tolerance and alignment with the board’ s priorities, security decisions reflect real business needs.

26 www. intelligentcxo. com