Inaugural Research Report from RSA Conference Executive Security Action Forum (ESAF) Provides a Rare View into What Top CISOs Report to Boards of Directors

News provided by

Oct 12, 2022, 08:30 ET

The First in a Series of CISO Perspectives Research Shares Candid Opinions and Tangible Examples from Leading CISOs Representing Several Industries on What They Report to the Board and Why

BOSTON, Oct. 12, 2022 /PRNewswire/ -- RSA Conference, the world's leading information security conferences and expositions, released research today that provides an in-depth look into how Fortune 1000 CISOs report to boards of directors on cyber risk management. Due to the threats present in today's global landscape, cyber risk is now a priority concern at the executive governance level and above as it is considered strategic risk that could significantly impact the business.

This unique report is the work of the RSA Conference Executive Security Action Forum (ESAF), a community of Fortune 1000 CISOs. The research was steered by the ESAF Program Committee, a group of 15 CISOs from global companies, including Bayer, Capital One, Cisco, Evernorth (Cigna), HCA Healthcare, Infosys, Leidos, Liberty Mutual, McKesson, Meta Platforms, Procter & Gamble, Sony, Vodafone, and Walmart, which highlight the top-priority topics that CISOs want to discuss with their peers. RSAC ESAF, an invitation-only community for confidential information sharing, has met regularly behind closed doors for nearly 20 years. For the first time, ESAF is sharing the knowledge of its members with the wider community.

"To be good at the job, a CISO must be good in front of the board. Even if a CISO is already okay in front of the board, they all want to get better. It makes a huge difference in their careers", said Brad Arkin, Senior Vice President, Chief Security and Trust Officer of Cisco and ESAF Program Committee Member. "This is great research that gives CISOs plenty of ideas."

The research addresses pressing issues such as how to convey cyber risks to the board and what metrics to share with them to address their concerns and meet board objectives. Boards need visibility into the right information to maintain a legally defensible position that they are providing effective oversight of.

"This RSAC ESAF research was led by some of the foremost CISOs in the industry, to meet the needs of the larger CISO community," said Britta Glade, Senior Director of Content and Curation for RSA Conference. "Even the most experienced CISOs are looking for ways to improve their updates. This report shares practical examples that they can immediately use."

Highlights of the report include:

How CISOs gauge the board's appetite for cyber risk
Ways to convey the top risks and how they are being prioritized
Views on how to select and present metrics, and what metrics to leave out
Why boards want to see maturity scores

The report includes actual examples from board updates such as:

8 examples of how board updates are organized (tables of contents)
15 examples of charts, diagrams, and metrics dashboards from actual presentations and memos
30 examples of metrics used in board updates

This report and a conversation with ESAF CISO program committee members Arkin, Emma Smith, Chief Information Security Officer at Vodafone, and JR Williamson, Senior Vice President and Chief Information Security Officer at Leidos will be the focus of a webcast on October 25, 2022. To register for this event, please click here.

Click to download a copy of the report.

About RSA Conference

RSA Conference is the premier series of global events and year-round learning for the cybersecurity community. RSAC is where the security industry converges to discuss current and future concerns and have access to the experts, unbiased content and ideas that help enable individuals and companies to advance their cybersecurity posture and build stronger and smarter teams. Both in-person and online, RSAC brings the cybersecurity industry together and empowers the collective "we" to stand against cyberthreats around the world. RSAC is the ultimate marketplace for the latest technologies and hands-on educational opportunities that help industry professionals discover how to make their companies more secure while showcasing the most enterprising, influential, and thought-provoking thinkers and leaders in cybersecurity today. For the most up-to-date news pertaining to the cybersecurity industry visit www.rsaconference.com. Where the world talks security.

About RSAC ESAF

The Executive Security Action Forum (ESAF), an RSA Conference (RSAC) community, has been a trusted forum for Fortune 1000 security executives since 2003. Led by a program committee, the community shares information at confidential sessions throughout the year and at our annual meeting at RSA Conference, enabling security leaders at some of the world's largest enterprises to collaborate and find actionable solutions to common challenges.

SOURCE RSA Conference