You’re a CISO who’s prepared hard for your cybersecurity Board presentation, covering the company’s Top 10 Risks. To make the stakes higher, it’s annual budget time. You enter the boardroom, PowerPoint under control (you think), and are introduced to the new member of the Board.
Wait a minute, those ears, those eyebrows, that bowl haircut…it’s Spock! The half-human, half-Vulcan, all-logical science officer of the ship Enterprise (from the original TV series when he was even smarter).
You start to give your talk about threats and vulnerabilities--and the only supporting document you have is your do-it-yourself, subjective list of top risks. Illustrated by a heat map, red for high, yellow for medium, green for low risk.
Spock might be okay with you speaking to threats and vulnerabilities. But that subjective list of top risks, Spock would not accept.
He would have a lot of questions, and the conversation might go something along the lines of:
Spock: How did you come up with the ranking of the risk - what model are you basing this on?
Mr. CISO: Well, I’m basing it on my personal experience as a CISO and I feel like these are our top risks.
Spock mutters under his breath: May I say that I have not thoroughly enjoyed serving with humans? I find their illogic and foolish emotions a constant irritant.
Spock: What assumptions did you make? What makes ‘Risk X’ more of a concern than ‘Risk Y’?
Mr. CISO: Well, I think that some of these are going to be some emerging risks in the next year - so I figured I should add them to the list.
Spock: Insufficient facts always invite danger - should you re-evaluate that?
You go on to make your pitch for a $30 million budget, but suddenly the room goes black as you feel a Vulcan neck pinch.
Hey, wake up!
You’re not really presenting to the Board with nothing but a heat map. That was just a bad dream.
Except the part about Spock – he really is on the Board.
But you’re confident because you can present the following reports:
Showing the aggregate annualized loss exposure for the company
Showing how much risk was reduced last year with the allocated budget
Good thing you completed this report on the RiskLens Cyber Risk Quantification application. So this time the conversation goes like this:
Spock: What model is this based on?
Mr. CISO: This is based on Factor Analysis of Information Risk (FAIR). FAIR is the only international (and inter-galactic) standard quantitative model for cyber security and operational risk.
Spock: Where did the numbers come from? What assumptions did you make?
Mr. CISO: Let’s go into the application to this specific analysis and see where the data came from and the assumptions we made.
Now that Spock has the answers to his questions, he takes a closer look at the graphs. From the first graph, Spock would see that the average annualized loss exposure was $228.5M.
From the second, Spock would also see there was an average risk reduction of $183.8M for the year with $30.6M you had in your budget. Now you have justified your budget and shown the value that you’re providing.
The only words Spock would have at this point would be "live long and prosper” with the four-finger hand salute that means a yes for your budget request.