“Disconnected” CISOs struggling to assert security’s relevance to the business

I have a different perception of the CISO/CSO struggle. Information security and, especially, privacy are seen as a ‘cost of doing business’ rather than an integral part of the value proposition by many organisations. If you are investing in keeping your clients’ data safe, it’s good marketing to tell them and helps differentiate you from the competition. As an example, take a look at how Apple distances itself from Google…:

Evaluating the value of IT-security initiatives is difficult because “disconnected” security professionals work to key performance indicators (KPIs) that don’t translate well into business terms, according to a new report that warned the situation is promoting CISO burnout by marginalising security practitioners and making them question their professional value.

Fully 44 percent of the 565 IT decision-makers – from five countries, including Australia and New Zealand – surveyed in the Thycotic-Sapio Research Cyber Security Team’s Guide To Success said they have no clear vision of what other departments in their organisations consider to constitute “success”, with 43 percent saying that overall business goals are not communicated to them.

Security teams’ “everyday focus on responding to immediate threats and incidents leads them to become too disconnected from the business,” the report noted, with just 21 percent of IT decision-makers believing their role or team “consistently meets expectations”.

[…]

Original article here