Can a CISO report directly to the board when there’s a breach, rather than the CIO?
Head of Information Security in Finance (non-banking), 1,001 - 5,000 employees
After confirmation of the data breach occurs, a CISO should be reported to CEO for an active incident response plan (IRP). All communication ways are defined on IRP, such as reporting to the CIO, and board, preparing the public news by marketing, and communicating regulator. Director of Information Security in Telecommunication, 10,001+ employees
Without starting to argue about who the CISO should report to, I assume that in your case the CISO is reporting to the CIO.The straight answer to your question is: yes when the data breach is estimated to have a significant impact on the Business.
The CISO doesn't want to involve the board for a limited or low-significance data breach, but there is a clear need, even a regulatory requirement, to involve the board if something significant happened/is happening.
Moreover, thresholds for escalation should be clearly defined in incident response management processes.
Content you might like
CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.ISSO and Director of the IRU in Healthcare and Biotech, 10,001+ employees
I would definitely suggest this based of how you categorize your types of data/systems and information being stored in certain parts of your data center. I think it’s really dependent on the size of your organization and ...read moreYes77%
No20%
Other (share below!)4%
198 PARTICIPANTS
Director Global Network / Security Architecture and Automation in Finance (non-banking), 10,001+ employees
Nothing ever dies in Enterprise. Why did Broadcom Software buy Symantec and VMWare, why did SDX Central post a story today about MPLS and how it lives on. Why is the hot news about cloud repatriation becuase a terrible app ...read more
Then you can say, “We had this many events, we blocked this many attacks, and we pushed this many different things.” Trailing indicators are traditionally what CISOs will try to distill and surface up to the board. But it's the leading indicators that you want to look for. And if they have a dollar sign attached it's even better, because boards know how to pay attention to dollar signs. In the absence of that metric, the only time a company's ever going to say, “We should have spent more money on securities,” is after they have been hacked. That's not a conversation that you hear proactively. It usually takes place after something bad has happened, so how can you flip that narrative and have it become a part of how the business thinks about risk management and how it deploys capital overall?