Members of the C-suite often aren’t speaking the same language around cyber risk, and reporting lines are reinforcing silos. For instance, the general counsel thinks about the issue in terms of compliance with information security regulations such as the European Union’s General Data Protection Regulation. The chief information security officer (CISO) or chief information officer (CIO) reports the technical vulnerabilities that his or her team has successfully remediated. The chief risk officer (CRO) looks at the problem in terms of risk transfer and cyber insurance purchased. And the chief financial officer is looking at the potential financial impact.
via Why the Entire C-Suite Needs to Use the Same Metrics for Cyber Risk