Nehemiah Security partnered with MightyGuides to interview seven industry experts with the mission of advancing the risk management conversation among cyber professionals. Each interviewee was posed the question, “If your friend was put in charge of measuring cyber risk at their company, what advice would you give them?”
Before making a case for security expenditures to the C-suite or board, Kevin McLaughlin, associate professor at the American Public University, advises to start by understanding the priorities of your executives and the business as a whole. If you’re lucky, some executives will already have a grasp of how their priorities can be supported by security. If not, invest in educating a handful of business stakeholders. By doing so, they can serve as “touch points that allow you to understand the business priorities and make those priorities your priorities.” McLaughlin also emphasized the importance of tracking the company’s cyber risk efforts: “Always keep in mind the old leadership mantra that if it’s not measured and tracked, it’s probably not getting done. When you’re pushing risk mitigation, you have to have a way of tracking the mitigation efforts.”
I agree that measuring cyber risk is a continuous process. Quantifying big changes as well as any fine-tuning is critical to get the business behind security investments. But, these measurements must be communicated in a comprehensible language to its audience. Dollars are best because they are a standardized and informative measurement in enterprise risk management. This makes them actionable and empowers business leaders to make one of three decisions when it comes to cyber risk:
1) accept some level of the risk, 2) transfer the risk or 3) mitigate the risk.
Depending on the financial value of the risk, it may be better for an organization to accept the risk. For example, the CISO of a global energy company said if they experience a ransomware attack, they generally choose to pay the ransom. This saves them time and resources in additional security configurations. For other companies, like a healthcare organization, they cannot risk to have their records locked down, or worse, lost. Those companies would probably invest in further security initiatives to mitigate the risk. By measuring and communicating these options in cost metrics, security can be aligned with business priorities and further advance the journey of cyber risk management.
-Use simple visuals to communicate the cost impact of threat and remediation. The higher up in the organization you go, the shorter, sweeter, and more visual it needs to be. Better yet, use financial term to communicate the risk.
-Don’t provide decision makers with one solution they must accept or reject. Give them risk and cost choices, and let them buy into what’s most important for the business.
Interested in reading more blog responses to our ebook? Check out our reflection on Vicky Ames’s entry here.