Don’t have time to read? Start listening to this blog post now:
Nehemiah Security partnered with MightyGuides to interview seven industry experts with the mission of advancing the risk management conversation among cyber professionals. Each interviewee was posed the question, “If your friend was put in charge of measuring cyber risk at their company, what advice would you give them?”
Surinder Lall, a security expert interviewed for the eBook, highlights the importance of making risk quantification real and tangible for the business. In every organization, there are hundreds of security changes that can and should be implemented. Lall notes that successful security leaders focus on introducing a select number of changes in the context of a maturity model for their industry segment. Leveraging this external source provides logical and material parameters for internal stakeholders, who likely have varying views on risks, to understand and approach the change and the risks associated.
Surinder Lall is hitting on a critical, but often unknown issue. Because cybersecurity is a growing issue and money poured into the field is not yielding the desired results, businesses are capping their cyber budgets. As a result, security teams must work with the resources already available and cannot support extensive security changes. Frustration quickly develops as their to-do list perpetually grows. What they fail to understand is that of the 1,000 things on their to-do list, only three of them may actually be priority for the business as a whole.
Moving forward, security leaders must take a step back, prioritize their to-do list, then communicate those issues to the business. To do so, ordinal measurements such as “high, medium, low” or “red, yellow, green” must be thrown out the window. They have no meaning, no transparency, and no depth. Rather, frame the conversation with tangible business impacts, such as legal liabilities, PR damage, fines, lost competitive advantage, and benchmark the risks to industry standards. This articulates the reality of the risk, makes it comparable to other business risks, and facilitates action.
Business leadership wants to see how a program addresses risk. That requires measuring risk in a way that enables them to see its potential impact on business performance.
To learn more about the full eBook, please download it here.