Why is zero breach an awful way to measure a CISO's effectiveness?

Question

Answer

#DetailsMatter Was the breach material? What was the extrinsic and intrinsic cost of the breach? Did the CISO have the support of the C-Suite and Board, or were they the scapegoat?

Answer

A CISO exists to enable secure business. If the only thing that matters is preventing a breach the ciso should do everything in his or her power to prevent risk, regardless of business impact, and would be incented to hide discovery of weaknesses or compromise.

Answer

Think of going to your doctor for a regular checkup. Doctor checks your BMI; it is 20 and sends you home. That would be a terrible approach to healthcare.

To use a single indicator for overall health. So too here – the lack of a breach means nothing without context. In addition, there are at least 20 significant other indicators that are equally meaningful and significant.

Why is zero breach an awful way to measure a CISO's effectiveness?

Content you might like

Do you plan to deploy security containers in the next 6-12 months?

My organization’s plans to return to the office in 2022 will be postponed.

What are some great on-prem and SaaS programs for internal PKI and Certificate Life Cycle Management?

How does your company handle AD accounts after a person leaves the company? We have been changing the passwords, disabling them, and moving them to a separate OU, but I'm interested to hear if you do anything else.

What is the best work travel advice you’ve ever been given?