You wouldn't set foot in Sweden and start speaking Swahili — so why would you use the language of bits and bytes in a boardroom full of executives to discuss cyber-risk?
Like anywhere, CISOs and security professionals have to learn (and master) the language of the C-suite. And where risk is concerned, just presenting directors with a qualitative tool like a heat map to depict the organization's current cyber-risk isn't going to cut it anymore. The nature of digital business, not to mention unrelenting headlines of hacks, ransomware, and phishing incidents, has sensitized executives beyond the security basics of malware and firewalls.
"It used to be, 'Tell us how bad it is,' but now it's more a case of, 'We're giving you money ... we need to know what we're getting in return,'" says Nick Sanna, CEO of RiskLens, a risk management software vendor.
Sanna adds that directors and executives face more requests to assess risk in financial terms, including from the Securities and Exchange Commission.
Because qualitative measures won't cut it like they used to (so long, traffic signal graphics!), organizations are either embracing or being pushed toward measuring risk along two axes: likelihood and potential impact. These are the two essential metrics for any risk calculation, cyber or otherwise.
By moving from qualitative to quantitative risk assessment, the organization also helps itself create a guide for action. "How much risk do we have? Are we doing too much or too little? What does it take for us to stay out of trouble? These are basic questions, but they are the things you ..
Support the originator by clicking the read the rest link below.
