If you’re a CISO who sees your role as “keep the business secure” – you’re only partly right, RiskLens CEO Nick Sanna argues in an article just published by Security Week.
“To truly succeed in their roles, CISOs must clearly demonstrate their value to the business in dollars and cents,” Nick writes.
“That’s going to mean shifting their branding from ‘minimize threats and vulnerabilities’ to include ‘providing options for business enablement’, where trade-offs between security investments levels and resulting risks are clearly articulated for informed business decisions to be made.”
Case in point: The typical risk register records entries with no effort “to relate these ‘risks’ to anything the business cares about – like a potential financial loss.”
As Nick writes, “ADP has a better way.” The giant payroll company uses the FAIR model (the risk quantification method operationalized by the RiskLens platform) to meet two standards for its risk register entries:
- Every entry must relate to an IT asset that must in turn relate to a product line.
- Every entry must be defined as a “loss event” according to the FAIR model, with a potential frequency and impact in dollar terms.
“A risk register like ADP’s clearly demonstrates the business value of cybersecurity and quantification is the key," Nick writes. "With an estimate in dollar terms of loss events, CISOs can also prioritize a Top Risks list based on relative ranges of potential losses.”
Read more of Nick’s tips on How CISOs Can Demonstrate Business Value in Security Week.
RiskLens is the only cyber risk analytics platform purpose built on the FAIR model, the international standard for cyber and operational risk quantification. Gartner calls risk quantification a critical capability for integrated risk management.