[evanjrowley]

You might get promoted to CISO if you can come up with a creative way to quantify the risk. Risk management frameworks can communicate how the impact, likelihood, and possible responses would play out in dollar amounts. With a few proposed ideas for how different risk mitigations would affect the resulting residual risk, non-technical people may be able to adopt your vision for securing the enterprise.

Yes, it also means doing basic things like saying "security is important", "vulnerabilities are bad", and "supply chain risk should be addressed", etc. The more informed you are, the more of a pain this is, at least in my experience (disclaimer: I'm not a CISO).

[TeMPOraL]

1) Frame as much of the risk in terms of reputation damage;

2) Present a huge dollar number to make it sound important;

3) Get promoted as everyone high-up implicitly understands that reputational damage is a fiction that never materializes in practice.

[borski]

That’s not how CISOs get promoted. If a CISO presented it this way, the very obvious next question is “and how much will it cost us to fix” followed by “and how much will insurance cover,” which are both going to blow the reputational damage argument out of the water.

CISOs get promoted by being willing to focus on compliance over security, so that they can cover the company if and when it inevitably gets breached by saying they “followed best practices” (if that’s true).

All of this is because resolving a breach and giving everyone a year of identity theft protection is a lot less expensive, short-term, than actually investing in a real security practice, and companies in the US think in quarters, not years.

Europe is better about this because they tend to think many years ahead rather than focusing on short-term results.