A recent survey conducted by Advisen and Zurich found that 92 percent of executives view cyber risk as at least a “moderate threat” to their organizations, but addressing the risk leaves them with a sense of helplessness.
Let’s face it, CISOs struggle to make business stakeholders and IT managers place a high priority on security measures and they certainly have a hard time explaining cyber security business costs and repercussions to C-level executives. At Think Systems Inc, we have partnered with CISOs enough to recognize the up-hill battle they face to make their companies more secure.
We believe there are 3 essential problems that CISOs face:
- CISOs rely too much on their own opinion. This sounds ridiculous to a security professional who has honed their knowledge and opinions to a truly expert level, but they need to realize that they are often the harbinger of impending doom. Their opinion alone isn’t enough to change the hearts and minds of executives, especially if the executives have been lucky so far.
- CISOs do not know how to quantify cyber risk in terms of ROI or monetary risk to the business. C-level execs make decisions based on dollars and cents. They have no idea how to interpret or internalize cyber security technical babble, so they may simply ignore it until it is too late.
- CISOs struggle with how to plan mitigation actions in terms that business stakeholders and IT fulfillment teams will accept. It’s a constant battle between doing things to keep the business secure and keeping the business profitable.
We Have Answers:
- CISOs should have an opinion, but it must never be the only thing that drives recommendations. They need back-up. They need the ability to tell corporate executives, “Look, this isn’t just my opinion anymore. This is the risk profile of our company after being subjected to an attack simulation that is current and knows what’s going on out there.” They need a state-of-the-art cyber security threat analysis engine that can run a million attack scenarios from every threat vector imaginable in order to provide evidence that their opinion counts.
- C-level executives may not know cyber security, but they do know about Value at Risk (VaR) calculations. Converting a company’s cyber risk profile to a VaR model that explains the risk of a cyber attack on the business is speaking their language.
- Our BKPM Strategic and Tactical Project Managers operate as a Special Forces style unit, that help CISOs develop executable plans to make things happen. We embed ourselves in the culture of the company and represent the needs of the CISO. CISOs know what needs to be done, but sometimes find it difficult to engage stakeholders and technical teams to make it happen. That’s where step-in; that’s where we take control.