A chief information security officer’s (CISO’s) life has become more complicated since COVID-19 pressed many businesses into digital transformation that weren’t quite ready to make the transition. Companies had no choice but to adapt, or otherwise, they would lose out on revenue and growth. This meant CISO’s had even more added to their scope in an already stressful environment.
Because of the forced transition, many companies are taking a compliance-centric approach to cybersecurity management instead of a proactive risk-first approach. By focusing on compliance only, organizations and business leaders leave themselves open to a myriad of risks and cyber-attacks.
According to Gartner, although interest in cyber security risk management has grown, only 37% of board respondents feel confident or very confident that their company is adequately secured against a cyberattack, compared to 42% in 2017. A slightly higher percentage (49%) is confident or very confident in the ability of management to address cyber risk. But more than one-fifth of directors (22%) expressed dissatisfaction with the quality of cyber-risk information provided to the board by management.
So how can CISO’s get the C-suite involved in taking a risk-based approach in cybersecurity? And stress the importance of investing in real-time monitoring to mitigate risk?
Here are three questions that CISO’s should ask themselves when considering a risk-based approach to cybersecurity.
How do we identify emerging threats and address those threats in real-time?
IT GRC legacy systems don’t offer modern enterprises enough of an insight into real-time risk. Most solutions are modular, impeding communication between data because the information is too siloed. We often talk about “glass-box” vs. black-box in cybersecurity when discussing the theory of transparent risk quantification vs. shielded risk quantification.
The fact of the matter is that black-box solutions rely on proprietary methodologies and unvetted practices to deliver sources of risks, “glass-box” solutions empower security leaders to employ industry-leading, gold-standard methodologies, and frameworks that can be easily explained to both technical and business-side stakeholders.
To identify emerging threats in real-time, organizations need this “”glass-box”” reporting to continuously monitor vulnerabilities in their systems. With manual control monitoring, many employees spend most of their time in front of spreadsheets, dedicating thousands of man-hours to complete assessments that could be out of date by the time they’re finished. This is not an effective or safe way to approach threats and leaves companies wide open for potential risks and a sensitive data breaches.
The solution to this issue is simple: automation. By leveraging NLP-assisted AI, organizations can create a cybersecurity risk management program that continuously monitors risk in real-time. When looking at software that can supplement current IT GRC systems, solutions that involve artificial intelligence (AI) or natural language processing (NLP) can save companies countless person-hours by utilizing automation to approach cybersecurity risk assessment. The CyberStrong platform offers continuous control automation so you can monitor risks proactively.
But how does this approach compare to other organizations in the cyber playing field?
What factors have enabled our competitors to be resilient in a crisis?
When companies are benchmarking against competitors, they need to consider their maturity level in terms of cyber risk. It’s no longer a question of “are we secure?” as much as it is, “how secure are we?”. It’s impossible to do away with risk completely, but it’s possible to manage it more securely and effectively.
The graph below illustrates the levels of cyber risk maturity to benchmark against competitors. Previous risk strategies may have singled out things like the number of data breaches or incident responses, but this is a shortsighted view of the risk management process that puts all the blame on one person or facet of the organization, ignoring all the steps and decisions that got them there.
The goal is to get the company on board with a proactive risk management strategy instead of just focusing on compliance. Communication about policy and procedure is vital too. The C-suite and board must be on the same level as the CISO to effectively manage threats. Without that, the lack of transparency will create friction between different sectors of the organization, including the CISO and C-suite. Everyone must come to an understanding of the importance of increasing the company’s maturity scale. In fact, Gartner predicts that through 2024, more than 75% of prosecuted compliance violations will result from failure to coordinate compliance policies and implementation with security and risk managers.
Assessment and management of risk needs to go beyond checkboxes and spreadsheets. This sort of drastic reframing can’t happen overnight, but with intentional decision-making and a strategy in place, reach a higher level of maturity is easily attainable.
That brings us to the last question CISO’s should ask,
How can we get the C-suite, board, and company culture invested in continued mitigation that leads to success?
Interest in cybersecurity and technology risk management is increasing at the board level, with 91% of organizational leaders responsible for cybersecurity and technology risk management having reported to the board at least once in 2018.
Despite this, it’s historically been challenging to portray cyber risk in a business context, resulting in conflicting goals with management and higher-level executives. There is often an ask of, why are we allocating so many resources to a program that can’t quantify a return on security investment?
Because cyber risk tends to be “invisible,” especially when CISO’s are taking a risk first approach, it can be difficult to demonstrate the importance and success of the investment. Yet, when these budgets are slashed, cybersecurity professionals find themselves with even more areas to oversee but not enough bandwidth to manage it all. But CISO’s can create a narrative that frames their approach using business-oriented language to get the C-suite on board with a cohesive story. Aligning business and IT objectives is paramount in this instance.
By presenting a tangible narrative for organizations to connect to and demonstrate what is influenced, you’re showing how your IT department touches many aspects of your operation and industry and how valuable they are to every step of the process. This allows the work and effort the IT department puts in to be more “visible” and allows higher-level executives to easily view the value of the investment into the departments that manage risk and digital transformation initiatives.
Knowing your audience is critical when crafting this narrative. Who are the individuals on the board, and what roles do they serve? How can cyber programs increase revenue or, alternatively, decrease revenue if there’s a breach? What risks is the company facing by simply addressing compliance instead of a risk-first approach?
Considering these questions allows CISO’s to create a story that resonates with the whole C-suite and allows business leaders to set themselves up for success.
In the pressure of a post-pandemic world, CISO’s that take a risk-first approach and actively try to increase their cyber risk maturity level will make their own lives easier as well as the rest of the enterprise. To learn more about a risk-based approach to securing assets, contact us.