Read Time: 2 Minutes
Cyber security is a topic towards which even companies’ boards of directors have started to take an interest, at least when it is presented to them in a context that matters: company risk. Presenting cyber security in the right way ensures that it is taken seriously within a respective organization – and it is also an opportunity for a CISO to grow his or her area of influence within the company.
What negative consequences can follow a breach?
Being prepared for breaches is a must – anyone can be a target. But with good vulnerability management practices in place, it is much less likely that your organization will get hit. After all, the majority of all breaches are caused by unpatched software.
The effects of a breach:
How to report on vulnerabilities?
When it comes to vulnerabilities, the board will be the most interested in risk assessment, instead of pure numbers. They are likely to ask questions like “What is our risk level now?”, “Where was it before?” and “Where do we need our risk level to be today versus before?”. The board wants to know and understand the CISO’s capabilities in responding to different threats directed against company assets.
Report on cyber security risk:
In addition to the CISO’s current threat protection protocol, the board will be interested in the overall likelihood of a breach, the current threat landscape and the potential negative consequences of a successful cyber-attack. The CISO needs to create a simple, but effective, story which successfully conveys a company’s current cyber security situation to top leadership. A proper story should contain accurate risk analysis and evocative future projections for different scenarios – for example, an attack’s potential to cripple the organization’s operations . The board wants you to:
- Move away from assessing vulnerabilities
- Adopt a clear and methodological approach to evaluating exposure to risk
- Integrate the value of a company’s assets with external threat intelligence
- Create a simple reporting metric that paints a clear picture of business risk
- Prepare reports that even the most non-technical board members can understand
In conclusion, the thing that a champion CISO really needs is a metric to measure risk. By effectively conveying the company’s current security situation and future risk projections to the board – in essence, where they are and where they need to be in terms of cyber security – the CISO can base his requests for more funding and resources on concrete data and analysis. This will allow the company to steer itself away from risk and towards profit – the main goals of most boards of directors.