Nehemiah Security partnered with MightyGuides to interview seven industry experts with the mission of advancing the risk management conversation among cyber professionals. Each interviewee was posed the question, “If your friend was put in charge of measuring cyber risk at their company, what advice would you give them?”
Genady Vishnevetsky (chief information security officer for a global real-estate insurance company), a security expert interviewed for the book, says that any CISO stepping into an overwhelmed security operation needs to take immediate steps to identify gaps and establish priorities. Only then will he or she be in a position to sell a security program to senior management. Vishnevetsky also outlines 3 basic steps to start out with (read the full ebook for details on these steps).
In my opinion, Genady is spot on with his points here. Putting results in a framework is key when explaining security to the organization because we as security leaders need to communicate what the industry standards tell us in business terms, not technical jargon. After talking to countless CISOs over the years, a common theme I see is that, in addition to technical frameworks, there is a big need for a communication mechanism which helps the business properly understand its risks.
The C-Suite’s security concerns are heavily shaped by what they read in the news. Common reactions include “What is ransomware going to do to me?” or “What is a DDoS attack?” or “What is this specific attack going to do to ME and MY organization?” These are their primary concerns because they directly address people and processes and the harm the attacks may inflict upon the organization. Therefore, emphasizing risk reduction to senior management will help them measure their return on security investments. Most organizations also have a risk register they use to manage key risks. Cybersecurity needs to fit into that register by being measured in dollars and cents. In this picture, traceability is critical all the way from top level risk down to the controls and then all the way down to the attack.
Moving forward, it is important for CISOs to understand their role within the organization. “As a CISO, it’s not my job to tell the business what to do. It’s my job to inform a business about the risk,” Vishnevetsky concludes.
- Setting priorities is Step 1 for a CISO. Only after that happens can he or she then assess what technologies and processes must be in place and if they are doing what needs to be done
- Cyber leaders would do well to appeal to other execs along the lines of reducing risk—a language they already speak. As opposed to forcing decisions on yes/no, do/don’t or invest/don’t invest, provide decision makers risk and investment choices, and let them buy into what is most important for the business
- Risk reduction is how senior management measures the return on their security investment
Interested in reading more blog responses to our ebook? Check out our reflection on Surinder Lall’s entry here.