Can a CISO report directly to the board when there’s a breach, rather than the CIO?

1.3k views3 Comments

Founder/Chairman/CTO in Telecommunication, 201 - 500 employees
We've seen companies that use bug bounty programs plug those results directly into board-level reporting around overall resilience. Atlassian offers the highest level incentive to the crowd and then the velocity of critical issues coming through serves as a proxy indicator of the cost to attack the company overall, which is a fascinating way of doing it. That gives you some metric to at least tell you where you are at a particular point in time. And more importantly for the CISO, when it comes to budget, you can trend it. You can talk about the direct improvements that you've made that have been a product of whatever you've done from a program standpoint. Not many organizations are doing that. Most of our industry's defined by nothing happening if we're doing it right, so it's a good thing to be able to go back and show some positive feedback based on your efforts to be more secure, wherever you can get your hands on that.

Then you can say, “We had this many events, we blocked this many attacks, and we pushed this many different things.” Trailing indicators are traditionally what CISOs will try to distill and surface up to the board. But it's the leading indicators that you want to look for. And if they have a dollar sign attached it's even better, because boards know how to pay attention to dollar signs. In the absence of that metric, the only time a company's ever going to say, “We should have spent more money on securities,” is after they have been hacked. That's not a conversation that you hear proactively. It usually takes place after something bad has happened, so how can you flip that narrative and have it become a part of how the business thinks about risk management and how it deploys capital overall?
Head of Information Security in Finance (non-banking), 1,001 - 5,000 employees
After confirmation of the data breach occurs, a CISO should be reported to CEO for an active incident response plan (IRP).  All communication ways are defined on IRP, such as reporting to the CIO, and board, preparing the public news by marketing, and communicating regulator. 
Director of Information Security in Telecommunication, 10,001+ employees
Without starting to argue about who the CISO should report to, I assume that in your case the CISO is reporting to the CIO.
The straight answer to your question is: yes when the data breach is estimated to have a significant impact on the Business.
The CISO doesn't want to involve the board for a limited or low-significance data breach, but there is a clear need, even a regulatory requirement, to involve the board if something significant happened/is happening.
Moreover, thresholds for escalation should be clearly defined in incident response management processes.

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.6k views131 Upvotes319 Comments