It’s time for CISOs to step up, writes Miles Tappin, pictured, VP of EMEA at ThreatConnect.
Businesses are at constant risk of being targeted by cyber criminals and the financial impact of cyber attacks can be devastating. As organisations are facing an era of ‘cyber everywhere’, attacks are now more frequent and subsequently more damaging, with the likelihood of attacks now being a matter of if, not when.
However, despite the increased risk of attacks, it has become obvious that CISOs are underprepared and are struggling to evaluate and explain the real impacts that cyber events will have to the rest of the C-suite. As a consequence, many organisations are unaware of the real risks they face, how they compare with one another in a ranked list, and how response and risk mitigation efforts should be prioritised.
Real picture
Most CISOs at Global 2,000 companies are drowning in what they think are priorities. As the number of threats increase and the attack surface expands due to digital transformation, it seems as if there is an absolute endless amount of work to do to secure the organisation. But the reality is that most security leaders really don’t know what the biggest risks to the business are because they can’t translate threats and vulnerabilities into the real picture they need to provide – a financial view into cyber risk.
This failure is one of the most significant issues facing the cybersecurity industry today. After all, the role of the CISO is not to defend IT systems but to ensure that risk is mitigated and the business is protected from harm.
Quantifying cyber and financial risk
To be able to communicate with the board and the business effectively, cybersecurity teams must learn how to talk business. That means quantifying cyber risk in financial terms. Taking this approach will not only get the rest of the C-suite on side, but by understanding where the greatest risks lie, CISOs will be able to more easily prioritise the focus of their teams — where to look, what to defend, and what responses to prioritise. As Deloitte argues, as we go forward CISOs will be under increasing pressure to “collect and report cyber risk in dollar terms in a way that both technical and nontechnical stakeholders can understand. Without such efforts, organisations may find it increasingly more difficult to navigate the rough seas of cyber risk on the horizon.”
It’s time to add Cyber Risk Quantification (CRQ) into the equation
We all know the importance of threat intelligence – the ability to gather large amounts of data, analyse it and identify the most critical threats. With SOCs under increasing pressure, and having to deal with an increasing amount of threats, many in the industry also understand the need to orchestrate and automate responses, driven by intelligence, where possible.
However, to deliver true value to the business, it’s time to add Cyber Risk Quantification (CRQ) into the equation. Integrating CRQ into your approach will fundamentally alter the way security works and how it is communicated to the business. CRQ technology enables businesses to create a financial view into cyber risk, allowing for proactive cyber defence and data-driven decision making across the board. By quantifying risk, based on possible losses from business interruption and response, exposure can be directly linked to the business services that are affected. This is the missing link in the ability of CISOs to communicate – and more importantly, manage, the risks facing their companies.
Treating cyber as a business risk is imperative to guaranteeing that your organisation remains secure. It will ensure that organisations prevent the financial costs that attacks can bring and will strengthen the overall brand and credibility of management. With 40pc of consumers holding CEOs personally responsible for ransomware attacks, the time is now for companies to take action to prevent future threats.
