Miles Tappin, VP of EMEA at ThreatConnect, discusses why it is essential for CISOs to explain to their fellow C-suite executives and board of directors how at risk their organisations actually are from cyber events
The risk of businesses being hit by a cyberattack is increasing and the financial impact from cyber events is potentially catastrophic. For most organisations, it’s a matter of if, not when. Deloitte warns that organisations face an era of ‘cyber everywhere’ as “hyper-connected, unparalleled connectivity combined with the Internet of Things (IoT) and other emerging technologies,” results in expanding attack surfaces.
However, CISOs are struggling to assess and explain the potential impact of cyber events and the depth of these risks to the rest of the C-suite and the Board of Directors. As a result, most organisations are blind to the true risks they face and are unable to prioritise their security programs to effectively drive risk out of the equation.
Aligning security with the boardroom
As well as the number of threats increasing, data security teams are collecting more data on risks and vulnerabilities than ever before. Most CISOs at Fortune 1,000 companies are drowning in data and alerts.
Despite having all of this information, most security leaders struggle to explain to their fellow C-suite executives and board of directors how at risk their organisations actually are from cyber events. They can’t translate threats and vulnerabilities into the real picture they need to provide – a financial view into cyber risk.
This failure is one of the most significant issues facing the cybersecurity industry today. After all, the role of the CISO is not to defend IT systems but to ensure that risk is mitigated and the business is protected from harm.
Time to quantify risk
To be able to communicate with the board effectively, cybersecurity teams must learn how to talk business. That means quantifying the risk in both cyber and financial terms. Taking this approach will not only get the rest of the C-suite on the side, but by understanding where the greatest risks lie, CISOs will be able to more easily prioritise the focus of their teams — where to look, what to defend, and what responses to prioritise. As Deloitte argues, as we go forward CISOs will be under increasing pressure to “collect and report cyber risk in dollar terms in a way that both technical and non-technical stakeholders can understand. Without such efforts, organisations may find it increasingly more difficult to navigate the rough seas of cyber risk on the horizon.”
CRQ becomes as important as TIP and SOAR
We all know the importance of threat intelligence – the ability to gather large amounts of data, analyse it and identify the most critical threats. With SOCs under increasing pressure, and having to deal with an increasing amount of threats, many in the industry also understand the need to orchestrate and automate responses, driven by intelligence, where possible.
However, to deliver true value to the business, it’s time to add Cyber Risk Quantification (CRQ) into the equation. Integrating CRQ into your approach will fundamentally alter the way security works and how it is communicated to the business. CRQ technology enables businesses to create a financial view on cyber risk, allowing for proactive cyber defence and data-driven decision making across the board. By quantifying risk, based on possible losses from business interruption and response, exposure can be directly linked to the business services that are affected. This is the missing link in the ability of CISOs to communicate – and more importantly, manage, the risks facing their companies.
This ability to treat cyber as a business risk has never been more mission-critical. After all, failing to prevent an attack can cost hundreds of millions, damage a brand and destroy the credibility of management. For example, research from Veritas Technologies suggests that 40% of consumers hold the CEO personally responsible for ransomware attacks. So, it is vital that the risks faced are understood by the whole business. Only then will companies be able to take appropriate action to defend against adversaries.