This misalignment means that when a major incident does occur, it won't just be the organization that feels the effects; it's likely to reflect badly on the reputations of board members, both individually and collectively.
Because of this, the CISO role must evolve, Durbin says.
"The role of the CISO these days is to anticipate, not to make sure the firewall stays up," he says. "You have to anticipate how the challenges coming down the road will affect the business and articulate that to the board. A good CISO needs to be a salesman and a consultant. You can't not have both. I can be the best consultant in the world, but if I can't sell my ideas to you, it's not going to go anywhere in the board room."
Related security articles:
- 10 critical security skills every IT team needs
- How to measure cybersecurity effectiveness — before it’s too late
- 10 ways you're failing at IT audits
- The CSO IoT security basics survival guide
Sign up for CIO Asia eNewsletters.