Security Leaders Struggle to Communicate Risks and Needs

Security should top the list of priorities for business leaders, yet security leaders struggle to communicate their risks and needs to upper management. They also lack the tools required to automate some of their work.

New research from Blue Lava and AimPoint Group examines how effective security leaders are at managing their programs as well as communicating needs and priorities to executives and boards at their organizations. It also offers insights about security program management practices along with advanced features like automation that many leaders are deploying to streamline their operations.

Security leaders are playing more significant roles in the boardroom and making higher-level management decisions than they previously did. But that influence comes with the price of more frequent scrutiny from senior executives and the resulting time spent in meetings.

The report found that 37.3 percent of security leaders meet quarterly with their board of directors, while nearly 40 percent meet with them monthly.

The bottom line is that, while security is a high priority and has made its way into the boardroom, operational processes and tools are still lacking that would positively impact the effectiveness of C-suite meetings. The goal of those meetings is to communicate security priorities and investment needs, but security leaders don't always succeed in relaying their most pressing needs and risks.

One of the issues is security leaders spend as much as 80 hours preparing for a single meeting with management, yet lack some of the valuable tools that would automate much of this prep work. Automation tools would successfully free up hundreds of hours per year for CISOs and other senior security leaders.

“The study confirms that while frequent interaction between security leaders and boards of directors has become the norm, CISOs struggle to communicate their risks, progress, needs, and priorities to top executives and boards of directors,” said Demetrios Lazarikos, co-founder of Blue Lava. “We're seeing more and more accountability at the board level for cybersecurity initiatives — the recent SEC Guidelines on Cybersecurity is a key initiative that supports this effort.”

Security leaders also believe there are many areas of their programs that need improvement, and that more value could be added by collecting security data more efficiently. Leaders also believe peer data can be used to benchmark their program performance and help define and implement a long-term security roadmap.

The research, conducted in December of 2021, queried 268 U.S. CISOs, CIOs and senior security and risk managers at organizations with 500 or more employees. Blue Lava and AimPoint found that a majority of organizations only conducted an annual assessment of the maturity and effectiveness of their security programs or only did so for audits or other special situations.