RiskLens CEO in ‘Security Week’ on How CISOs Can Demonstrate Business Value

August 13, 2019  Jeff B. Copeland

RiskLens CEO Nick SannaIf you’re a CISO whose sees your role as “keep the business secure” – you’re only partly right, RiskLens CEO Nick Sanna argues in an article  just published by Security Week.

“To truly succeed in their roles, CISOs must clearly demonstrate their value to the business in dollars and cents,” Nick writes.

“That’s going to mean shifting their branding from ‘minimize threats and vulnerabilities’ to include ‘providing options for business enablement’, where trade-offs between security investments levels and resulting risks are clearly articulated for informed business decisions to be made.”

Case in point: The typical risk register records entries with no effort “to relate these ‘risks’ to anything the business cares about – like a potential financial loss.”

As Nick writes, “ADP has a better way.” The giant payroll company uses the  FAIR model (the risk quantification method operationalized by the  RiskLens platform) to meet two standards for its risk register entries:

  1. Every entry must relate to an IT asset that must in turn relate to a product line.
  2. Every entry must be defined as a “loss event” according to the FAIR model, with a potential frequency and impact in dollar terms.

“A risk register like ADP’s clearly demonstrates the business value of cybersecurity and quantification is the key," Nick writes. "With an estimate in dollar terms of loss events, CISOs can also prioritize a Top Risks list based on relative ranges of potential losses.”

Read more of Nick’s tips on  How CISOs Can Demonstrate Business Value in Security Week.

RiskLens is the only  cyber risk analytics platform purpose built on the FAIR model, the international standard for cyber and operational risk quantification. Gartner calls risk quantification a  critical capability for integrated risk management.