Nehemiah Security partnered with MightyGuides to interview seven industry experts with the mission of advancing the risk management conversation among cyber professionals. Each interviewee was posed the question, “If your friend was put in charge of measuring cyber risk at their company, what advice would you give them?”
Heath Taylor, Director of Information Security Compliance at Live Nation Entertainment, states that the business is “always looking to its bottom line.” It is interested in how much an incident would cost in payouts versus how much it would impact technology and the people responsible for implementing that technology.
In order to effectively justify your security spends, he suggests using a risk management framework appropriate to your industry, and that covers the regions where you operate, as a good first step. “By doing that and understanding your regulatory obligations, you can then take a look at the systems and processes you have,” he says. Understanding all the risk transferal and acceptance (risk appetite) is also key.
I think Heath makes a great point that we need to take technical indicators such as CVE scores and turn them into quantifiable metrics that the Board can understand well. This is challenging but once you have the framework and structure down, it becomes much easier with each time you do it. With products like RQ, you can then see how you compare to your peers as well. This allows you to see two sides of the coin and answer the question “Who else is dealing with this issue?”
1) Only with a clear understanding of a business’s risk appetite will you be able to look at its risk tolerance for each asset and quantify the risk.
2) In presenting to a board or senior executive leadership, you need to make risks and threats tangible for your audience.
Interested in reading more blog responses to our ebook? Check out our reflection on Suzie Smibert’s entry here.