As more enterprises become digital businesses and rely on applications to keep pace with innovation, the value of security will continue to grow. However, CISOs often struggle with non-IT executive communication and demonstrating how their programs provide value. For enterprises to remain competitive in this application economy, it is up to CISOs to communicate how strong security programs are linked to corporate performance.
For years CISOs have struggled to gain the respect the importance of their role deserves. This is in part because the CISO's role was seen as necessary, but tactical. Also, the metrics CISOs and other security leaders used to demonstrate the value of security focused mostly technical accomplishments. Because business leads did not understand the technical language spoken by the CISO, they wrongly assumed that a lack of a breach meant they were secure.
This resulted in CISOs not receiving the respect they deserved, but also not being able to make strong cases for projects they knew were imperative to reducing risk at their enterprises. For example, while application security is a major concern for most CISOs, it is not a priority at most enterprises.
What CISOs need to do is learn to speak the language of their peers in senior management. The best way to make a case for security projects is to link security to the corporation's performance. Gartner provided 8 Practical Tips for Linking Security and Risk Management to Corporate Performance in a recent report by Paul Proctor. I highly recommend any CISO trying to reduce risk at their enterprise read through this document for some practical advice on improving communication with senior management.
You can find it here: https://info.veracode.com/analyst-report-gartner-8-practical-tips.html