While cybersecurity might be under the umbrella of IT, make no mistake: a breach will impact the entire business, making it the entire organization’s responsibility to be able to understand and take action on risk.
This means that your organization needs to have a holistic view of risk that can enable the risk intelligence required to not only have technical discussions, but business conversations about cyber risk. By understanding not just the nuts and bolts of an exploit, but the impact it can have on employees, customers, and revenue, security experts and business leaders alike can then prioritize actions, budgets, and initiatives.
As part of the Evolve from Risk Management to Risk Intelligence webinar series, I spoke with SecurityScorecard’s VP of Policy and Government Affairs Charlie Moskowitz, along with Director of Risk Solutions Anna Sarnek. They shared their insights into how security professionals can communicate cyber risk in a way that all stakeholders can understand so everyone can take the right action faster.
Talking the Cyber Talk
Today’s organizations are evolving beyond reactive risk management to a proactive risk intelligence approach that allows them to anticipate what will come next. But to be proactive, you have to be able to share your vision of the future with other stakeholders in a way that will inspire them to take action, even if there is an imminent threat.
“You have to be able to shift the mindset of your CFO or CEO to focus on the business impact of an attack so they can start asking the right questions about preventing it from happening,” Sarnek said.
However, for many organizations cyber security is still viewed by business leaders as a cost center, not an investment, making it difficult to evolve to a risk intelligence posture. Because the public sector is often strapped for cash and liable to have its expenditures closely inspected by citizens and politicians alike, governmental organizations are a good example of why risk intelligence is still often elusive in many organizations.
Moskowitz shared that the government still approaches risk using a siloed, disconnected approach. Because the vast majority of critical infrastructure in the US is privately owned, the government has little insight or control into the risk posture of systems that could impact the lives and safety of millions should they go down.
“If a threat actor finds one common vulnerability, they can access thousands or millions of companies. There needs to be a common defense that includes risk intelligence, instead of an individualist way of managing risk,” he said.
Money: A Language Everyone Understands
One way to create a common defense is with cyber risk quantification. By using risk quantification to describe cyber risk in dollars and cents–a universally understood metric–different departments, stakeholders and business units can more easily understand where to invest cybersecurity resources and why.
“Cyber risk quantification creates a translation layer where everyone from the CEO on down can measure it day by day and understand what the current status is. This makes vulnerability awareness part of their monthly, quarterly, and annual conversions, not just when something goes wrong,” Sarnek said.
Sarnek cautioned not to let dollars and cents become the one and only metric. Often, organizations fall into the trap of looking at their spend and comparing it to industry benchmarks; as long as they are spending the same amount, it can lull them into a false sense of complacency.
“You still have to drill down to understand if you are spending the right amount for your specific business, the impact it will have on your customers, and the types of vulnerabilities you have,” she said.
Cybersecurity is a Team Sport
To improve your organization’s ability to communicate effectively about cyber risk, start by including a more diverse group of stakeholders in your cybersecurity conversations. The more you can expand your circle outside of the traditional players, the more you can embed cybersecurity deeper into and broader across the organization.
“My initial upfront advice would be to get curious and understand what the digital space in your organization looks like,” Sarnek said. “This can help you get into the mindset of defining your protection surface instead of your attack surface, allowing you to protect your core assets instead of spending time trying to protect things that aren’t as important.”
Moskowitz advises taking the time to ensure that senior leaders truly understand the language and vocabulary of cybersecurity so they can not only participate effectively, but feel invested in the outcome.
“If you have a C or a D rating, that doesn’t mean you’re doing a bad job. It means you're under-resourced and need to find a better way to explain what the cost is in terms they’ll better understand. Business leaders need to understand the risk to them and their job as much as to the organization.”
Evolve to Risk Intelligence with SecurityScorecard
A holistic approach to risk – one that combines a 360º view of the attack surface with the ability to communicate risk meaningfully and respond effectively – is critical for business success in today’s cybersecurity threat landscape. With SecurityScorecard’s latest product release, organizations now have everything they need to build a world-class risk intelligence program.
Watch this webinar on-demand to hear the complete conversation for insights in how communicating risk meaningfully enables a holistic risk intelligence program.