Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementLogical Security

Best practices when communicating security risk to the C-suite

By Fawaz Rasheed
group working around table

Image via Unsplash

April 11, 2023

As cyberattacks continue to hamper organizations spanning all sizes and sectors, it has never been more critical for CISOs to have an open line of communication with the C-suite and the Board regarding risk. Although most CISOs recognize the importance of communicating risk, many of them struggle with illustrating the impact of their defenses on reducing risk in dollars, or what is referred to as quantifying cyber risk.

When quantifying cyber risk, one must measure the financial impact and likelihood of a cyber-related incident taking place. This usually includes identifying, validating and analyzing threats using mathematical models that factor in an organization’s loss expectancies, investments in controls and probabilities of threats with impact.

Cyber risks are very real, but how can security leaders translate their technical impact into terms that senior level executives can understand, prioritize and act upon? 

Think ahead: Anticipating C-suite questioning

Before a CISO can begin putting together any type of risk readout, they must first take a step back to understand the questions being asked of them by the C-suite and Board members. Of course, these questions will evolve over time, especially when a major data breach or vulnerability takes place in the industry. For the most part, CISOs should be prepared to answer the following questions:

  • What are the top risks and what is their dollar value impact to business?
  • How do we evaluate the effectiveness of our information security program by way of ROI?
  • Are we investing in the right areas?
  • Are we spending enough – or too much – on information security?

The responses to these questions will provide CISOs with a much better context that includes a business-oriented overview of the organization’s risk posture. This is the focal point.

Understanding qualitative vs. quantitative risk readouts

When CISOs are tasked with providing risk readouts to fellow executives and board members, they often fall into two macro categories: qualitative and quantitative risk readouts. Security leaders need to know the difference, as well as the pros and cons, between the two types of reports.

Qualitative risk readouts are based on data that describes qualities or characteristics, often collected using questionnaires, interviews or general observation. These types of readouts have some inherent problems. For one, the common risk thresholds of “critical, high, medium and low” are defined either poorly, or not at all. Additionally, risk tolerance and risk appetite levels are not incorporated into qualitative risk readouts – which makes all the difference in communicating the status of an organization's security posture. Most importantly, qualitative risk readouts do not speak in business financial terms; therefore, they don’t always address the C-suite’s priorities. These types of reports lack the risk and impact in dollar amounts, as well as the amount of risk reduction in dollars. 

Quantitative risk readouts often get senior executives’ attention, in the best way possible, as the analysis is rooted in cost-based ROI from a business perspective. These risk readouts are based on metrics, and provide a method to embed risk tolerance. They are also more accurate than qualitative, ordinal scales.  

Regularly communicating risk: Finding the proper cadence

Once a readout is prepared and communicated, it is not a “one and done” ordeal. In fact, cyber risk should be regularly communicated to the C-suite and Board. Communication is imperative when bolstering an organization’s security posture, and it starts with the CISO properly reporting risk to their peers. Through a quantitative readout approach, as well as regular reporting and anticipating the C-suite’s concerns, security leaders will be well positioned to raise awareness of the organization’s better-defined risk levels, and get what they need in order to improve security defenses.

KEYWORDS: CISO collaboration cyber threat risk analysis risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Fawaz Rasheed is the Field CISO at VMware.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Chaim Mazal, CISO at Kandji

    Communicating risk to the C-suite

    See More
  • SEC 5 Minutes With Logo Frogett

    How to communicate AI cyber risk to the C-suite

    See More
  • Cyber risk c-suite

    Six ways to reduce cyber risk in the C-suite

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • Risk-Analysis.gif

    Risk Analysis and the Security Survey, 4th Edition

  • The-Complete-Guide-to-Physi.gif

    The Complete Guide to Physical Security

See More Products

Events

View AllSubmit An Event
  • May 14, 2012

    Effective Risk Communication: Theory, Tools, and Practical Skills for Communicating about Risk

    Stay ahead of the curve by attending this in-depth program, featuring the latest scientific findings on risk perception, case studies from around the world, a suite of practical tools, and hands-on skill training.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing