Nehemiah Security partnered with MightyGuides to interview seven industry experts with the mission of advancing the risk management conversation among cyber professionals. Each interviewee was posed the question, “If your friend was put in charge of measuring cyber risk at their company, what advice would you give them?”
Richard Rushing, CISO at Motorola Mobility, states that “when it comes to discussing security priorities with executive leadership, risk will be at the center of that conversation.” Deciding what is most critical is not something CISOs can do on their own, however going forward, the CISO is going to need help in understanding the business. Although there are many ways to talk about risk, there’s nothing simple or easy about quantifying it. One way to quantify risk is by relating it to a maturity scale, with lower maturity equating to higher risk. The same scale becomes a tool for measuring progress by showing where you were before a particular security investment, and where you are afterwards. An approach that has more direct meaning for business decision makers is to compute risk in terms of dollars.
I couldn’t agree more. I recall a recent survey of 400 CEOs which stated that the majority of them thought cybersecurity was their number one risk. However, only 26% of those people thought they were actually prepared for it. Why this cavernous gap? I’ll point back to the ‘language’ concept Richard talked about in his interview. Thus far, cyber has communicated to the organization in technical terms. It might as well be a foreign language. In addition, the messages cyber has been delivering have been ‘alert heavy and action light’. Business is all about action—don’t bring me a problem unless you also bring me a solution. These are the calls to action for Cyber: 1) communicate in business terms (ideally in dollars), and 2) propose an intelligent approach to managing the business’s most pressing cyber concerns. As these calls to action take root within organizations, we can expect concepts like traceability and verifiability to become more prominent as CISOs communicate with the C-Suite or the Board.
In the end, you really have to show how something is going to solve a problem in the real world today. What advantage is it going to provide, and what is the benefit going to be? Rushing advises being totally prepared with what you want to say, being ready for questions that may come up because of things in the news, and being concise in your presentation.
-Turning risk into dollar figures can be a complex calculation involving many aspects of the business that are difficult to quantify, like real revenue impact and cost of recovery.
-Work with financial professionals in the organization who will be able to help devise dollar measurements for real cyber risk scenarios that must be addressed.
Interested in reading more blog responses to our ebook? Check out our reflection on Suzie Smibert’s entry here.