RiskLens CEO Nick Sanna has a bad news/good news message for CISOs, just published on the SecurityWeek website: Expectations for CISOs Have Changed. The communication techniques many IT security executives have relied on – from FUD (Fear, Uncertainty and Doubt) to heat maps to “maturity” checklists to “security scorecards” based on counts of vulnerabilities or patches – just won’t cut it anymore.
Here’s what’s changed, Nick argues, after a punishing couple of years of massive data breaches and malware attacks, heightened scrutiny on cybersecurity from regulators like the SEC and heightened awareness of the risks from digital disruptors like the Internet of Things:
“Cyber risk has risen to the level of enterprise risk – which [boards and senior management] expect to be measured, managed, and reported in the terms that the rest of the enterprise understands, namely, in financial terms to show the likelihood and potential cost of losses…
“Welcome, CISOs, to the Era of Cyber Risk Economics.”
The good news: Cyber risk analysis based on the FAIR model that powers the RiskLens platform, points the way up to meeting higher expectations. It’s more of “a change in thinking about risk rather than another scorecard of numbers,” Nick writes, that gives risk teams “the analytical skills and the applications to quickly [generate] a range of scenarios that make the risk choices clear to the decision makers.”
With 3,400 members now signed up for the FAIR Institute, an estimated 30% of the Fortune 500 using FAIR, and Gartner recently recommending risk quantification as a must-have for integrated risk management, “this is a growing movement, and I think it’s the right movement during this era of heightened expectations for CISOs,” Nick concludes.
Read Nick Sanna's article in SecurityWeek, Expectations for CISOs Have Changed.