A new survey from Gartner, the leading tech consultancy, finds that 88% of boards of directors now view cyber risk as business risk but that message doesn’t seem to flow down to business management.
According to Gartner, in 85% of organizations, the CIO, CISO or other IT executive are held accountable for cybersecurity; just 10% or organizations held non-IT senior managers accountable.
“It’s time for executives outside of IT to take responsibility for securing the enterprise,” said Paul Proctor, distinguished research vice president at Gartner, particularly in light of the ransomware and supply chain attacks in 2021 that knocked out critical business operations.
As it is, “business leaders make decisions every day, without consulting the CIO or CISO, that impact the organization’s security.”
Gartner puts the burden on CISOs to “rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders.”
Are CISOs up to the task? In many organizations, the accountability wall between IT and the business is propped up by CISOs who can’t effectively communicate in the financial language of the business: loss exposure in dollars for cyber attacks, return on security investments (ROI) and the other ways that management talks accountability. Tech talk about maturity scores or patch rates don’t translate.
FAIR™ (Factor Analysis of Information Risk) is the international standard for assessing cyber and IT risk in financial terms, giving CISOs the means to communicate effectively to the business.
The RiskLens suite of tools for cyber risk quantification, based on FAIR, generates reporting on cyber risk at any level an organization requires for decision support, from in-depth assessment on specific, high-impact risk scenarios to quick looks at an organization’s top ten cyber risks to benchmark reporting on risk management by peers within an industry.
Contact us to learn how cyber risk quantification can help your IT or cybersecurity team communicate effectively with business partners.
And here’s one more incentive for quantification: protecting budget. According to Gartner, growth in cybersecurity spend will slow through 2023. “After years of such heavy investment in security, Boards are now pushing back and asking what their dollars have achieved,” Paul Procter said.