That’s not how CISOs get promoted. If a CISO presented it this way, the very obvious next question is “and how much will it cost us to fix” followed by “and how much will insurance cover,” which are both going to blow the reputational damage argument out of the water.
CISOs get promoted by being willing to focus on compliance over security, so that they can cover the company if and when it inevitably gets breached by saying they “followed best practices” (if that’s true).
All of this is because resolving a breach and giving everyone a year of identity theft protection is a lot less expensive, short-term, than actually investing in a real security practice, and companies in the US think in quarters, not years.
Europe is better about this because they tend to think many years ahead rather than focusing on short-term results.
2) Present a huge dollar number to make it sound important;
3) Get promoted as everyone high-up implicitly understands that reputational damage is a fiction that never materializes in practice.