“The board is fatigued. Board members are increasingly questioning if that capital is distributed effectively. But the CISO responds with this highly technical set of metrics they neither care for nor understand,” Hetner explains. “There is fatigue in the audit committee, in the board room, and among chief executives who, even after all these years working with security executives, still have limited visibility into where cyber security budgets are being deployed, let alone understanding how these investments reduce business risk and operational exposure.”
According to Hetner, all but the most regulated, risk-adverse industries (such as finance), usually lack an ERM function, which he defines as a critical conduit for the CISO to align security metrics with business, operations, financial, and regulatory requirements and eventually board engagement. Without that layer, CISOs operate in their own islands, which negatively impacts their ability to present the right metrics to their business leaders. To get started, he points out how frameworks like the COSO ERM framework ties into cyber security frameworks.
“Boards are faced with complex matters such as impact on interest rates, tariffs, stock price volatility, supply chain issues, profitability, and acquisitions. Then the CISO enters the boardroom with their MITRE Attack framework, patching metrics and NIST maturity models,” Hetner continues. “These metrics are not aligned to what the board is conditioned to reviewing.”
