Become a champion CISO – learn to report on risk

Reporting on risk rather than just the number of vulnerabilities or fixes is an opportunity to gain C-level interest towards cyber security.

Author: Eija Paajanen
Date: 17.07.2017
Read Time: 2 Minutes

Cyber security is a topic towards which even companies’ boards of directors have started to take an interest, at least when it is presented to them in a context that matters: company risk. Presenting cyber security in the right way ensures that it is taken seriously within a respective organization – and it is also an opportunity for a CISO to grow his or her area of influence within the company.

Report on risk rather than the number of vulnerabilities

What negative consequences can follow a breach?

Being prepared for breaches is a must – anyone can be a target. But with good vulnerability management practices in place, it is much less likely that your organization will get hit. After all, the majority of all breaches are caused by unpatched software.

The effects of a breach:

What happens when you are hit by a cyber breach?

How to report on vulnerabilities?

When it comes to vulnerabilities, the board will be the most interested in risk assessment, instead of pure numbers. They are likely to ask questions like “What is our risk level now?”, “Where was it before?” and “Where do we need our risk level to be today versus before?”. The board wants to know and understand the CISO’s capabilities in responding to different threats directed against company assets.

Report on cyber security risk:

Cyber risk reporting

In addition to the CISO’s current threat protection protocol, the board will be interested in the overall likelihood of a breach, the current threat landscape and the potential negative consequences of a successful cyber-attack. The CISO needs to create a simple, but effective, story which successfully conveys a company’s current cyber security situation to top leadership. A proper story should contain accurate risk analysis and evocative future projections for different scenarios – for example, an attack’s potential to cripple the organization’s operations . The board wants you to:

  • Move away from assessing vulnerabilities
  • Adopt a clear and methodological approach to evaluating exposure to risk
  • Integrate the value of a company’s assets with external threat intelligence
  • Create a simple reporting metric that paints a clear picture of business risk
  • Prepare reports that even the most non-technical board members can understand

In conclusion, the thing that a champion CISO really needs is a metric to measure risk. By effectively conveying the company’s current security situation and future risk projections to the board – in essence, where they are and where they need to be in terms of cyber security – the CISO can base his requests for more funding and resources on concrete data and analysis. This will allow the company to steer itself away from risk and towards profit – the main goals of most boards of directors.


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s