The ISO is going to the CEO saying there's a chance something bad, and possibly something embarrassing, could happen. But how much of a chance, the ISO doesn't know. And if he spends this kind of money, he can reduce the risk but by how much, he doesn't know. It's simply not enough data. Every other C-level executive does better than that and takes on the responsibility for defining the risk. Here, the CISO is putting the responsibility on the CEO. They don't want it, and eventually they won't take it.
|