A Board’s Wish List for the CISO

January 22, 2019  Jay Soni

After another year of major, high-profile data breaches and other cyber attacks that have cost organizations millions of dollars in losses, boards should ask themselves and their CISOs “how do we become better at understanding the risks we face and cost effectively manage them?”.

Boards need to direct CISOs, who typically come out of technical backgrounds, to give them the business-focused answers they need, by consistently asking the right, pointed questions about risk.

So here’s a board’s wish list for 2018; the questions they’d like to see answered by their CISO or risk committees.

1. Show that the staff charged with security is marching together in the right direction to prevent and respond to loss events

In order to achieve this at a foundational level, a formal definition of risk should be in use to define risks consistently.  Many organizations still suffer from inconsistent definitions of risk-related nomenclature, which leads to mislabeling issues that may not even be risks at all.  This is where a formal risk model like FAIR can help the organization speak the same language and clearly define what is and is not a risk.

2. Tell us how much risk we have and how it lines up with other risk reporting

To do this accurately, organizations will have to move beyond qualitative methods of measuring cyber risk and begin to quantify risk in financial terms, “dollars and cents”.  Boards are used to seeing risk represented in loss exposure from other functions like market and credit risk, so by quantifying cyber risk in financial terms CISOs can help bridge the communication gap between IT and the business.

3. Show that our spending on risks is targeted correctly and not wasted

Using FAIR to conduct quantitative analysis can help CISOs create a top 10 risk report that can be very useful in showing where risk is concentrated and where budget and resources need to be allocated.  Without the use of a formal quantitative model like FAIR, this can turn into an unreliable exercise based on gut instinct and flawed mental models, which can lead to inefficient or poor risk management.

4.  Tell us how you have reduced risk over time

Being able to justify security investments without the use of quantification can be extremely difficult and is often based on sheer trust.  The use of quantitative analysis can help a CISO justify decisions on how budget has been spent by clearly showing the ROI or risk reduction of specific initiatives, enabling cost-benefit analysis which leads to cost-effective risk management.

Organizations are likely to be facing an even more hostile cybersecurity environment in 2019. Boards can drive the changes the organization needs to field a more effective defense, based on a clear picture of the financial choices around risk. It starts with asking the right questions.

RiskLens helps Fortune companies introduce risk quantification to their organizations. Contact us to learn more.

Download our eBook:Executive’s Guide to Cyber Risk Economics’.