Welcome to The Age of CISOs Quantifying Risk
Cyber attacks are an inevitable part of everyday business for organisations worldwide. However, despite the increased awareness of the major consequences a successful attack can have, many organisations are still downplaying the risks.
By Miles Tappin, VP of EMEA at ThreatConnect
As a result of the potential economic cost and damage to business reputation that cyber attacks can have, it is vital that organisations understand how to manage the risks accordingly. However, this isn’t the case for many companies. CISOs are currently struggling to not only measure but also evaluate the real impact attacks can have and are subsequently unable to explain the risks to the rest of the C-suite and the Board of Directors. This will prove detrimental in the long term, damaging overall security programmes.
Board members bear the responsibility to govern all areas of a corporation. Delivering a siloed, technical view of cyber security misses the mark for the business-centric board. In fact, it risks creating distraction and confusion. Rather, CISOs must now provide the board with information that they can compare to other enterprise risks.
A financial view into cyber risk
Data security teams are collecting more data on threats and vulnerabilities than ever before. Most CISOs at Fortune 1,000 companies are drowning in data and alerts.
The reality is that most security leaders struggle to explain to their fellow C-suite executives and board of directors how at risk their organisations actually are from cyber events because they can’t translate threats and vulnerabilities into the real picture they need to provide - a financial and business view into cyber risk.
This failure is one of the most significant issues facing the cyber security industry today. After all, the role of the CISO is not only to defend IT systems but to ensure that risk is mitigated and the business is protected from harm.
Understanding the greatest risks
Without understanding that risk is a business issue, not a technical issue, CISOs will likely not focus their resources on the right things. Most businesses don’t know what their exposure is to any given cyber event, including what the impact could be in terms of lost revenue, response costs, and secondary loss. Until now, the result has been a lack of focus on the risks that matter most to the business and an inability to communicate an accurate risk posture to the C-Suite and board of directors.
To be able to communicate with the board effectively, cyber security teams must learn how to talk business. That means quantifying cyber risk in financial terms. Taking this approach will not only get the rest of the C-suite on side, but by understanding where the greatest risks lie, CISOs will be able to more easily prioritise the focus of their teams - where to look, what to defend, and what responses to prioritise.
As Deloitte argues, as we go forward CISOs will be under increasing pressure to “collect and report cyber risk in dollar terms in a way that both technical and nontechnical stakeholders can understand. Without such efforts, organisations may find it increasingly more difficult to navigate the rough seas of cyber risk on the horizon.”
Prioritising Cyber Risk Quantification (CRQ)
We all know the importance of threat intelligence - the ability to gather large amounts of data, analyse it and identify the most critical threats. With SOCs under increasing pressure, and having to deal with an increasing amount of threats, many in the industry also understand the need to orchestrate and automate responses, driven by intelligence, where possible.
However, to deliver true value to the business, it’s time to add Cyber Risk Quantification (CRQ) into the equation. Integrating CRQ into your approach will fundamentally alter the way security works and how it is communicated to the business. CRQ technology enables businesses to create a financial view into cyber risk, allowing for proactive cyber defence and data-driven decision making across the board. By quantifying risk, based on possible losses from business interruption and response, exposure can be directly linked to the business services that are affected. This is the missing link in the ability of CISOs to communicate - and more importantly, manage - the risks facing their companies.
The growing pace and sophistication of nation state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritise cyber risks within the context of our individual businesses an urgent priority for 2021. To do this, however, CISOs must be able to speak the language of the business.
The odds of your organisation being targeted is more likely than you think, and you need to guarantee that your security teams are focusing their attention and limited resources on the most important threats. It is vital that the whole business understands the risks that cyber criminals can make and in turn how they can defend themselves against future threats.