How can companies work harder to give CISO and CIO equal seats at the table?
Sort by:
Companies that don't give security a seat at the table with a board equivalent to the CIO are foolish. They give the CIO that seat at the table because of the risk of the business: If my IT systems are down or if they’re malfunctioning for a week at a time, I'm out of business. But if you get hit by ransomware, your CISO has that same risk and deserves the same level of attention as the CIO because they're both protecting the company from the same risk.
The CISO is managing a bigger malicious attack surface. In IT systems, from an operational standpoint, hardware can fail, etc., but that's not malicious. In the cyber security space, bad actors are maliciously trying to disrupt and bring down the business. Some of these ransomwares will take down a company for a week or longer—if you do a business impact analysis on that, then the importance of the CISO’s input is clear.
If companies wanted this, it would be. The biggest barrier is the number of c-level CIO and CISO candidates available. Make the hire and make it at the level needed.