Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 31 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Cyber Risk Management – Bringing Security Intelligence To The Board.

by The Gurus
May 28, 2019
in Data Protection, Featured, Opinions & Analysis
dark web
Share on FacebookShare on Twitter

Written by Josh Lefkowitz, CEO of Flashpoint

Data breaches are costly. According to a recent Ponemon Institute study, the average breach costs an organisation $3.86 million. A separate study found that, although the share price of breach-affected companies shows its sharpest drop 14 days after the breach is made public, there is still a discernible impact on the organisation’s stock valuation three years post-event.

Business impacts at this level affect the fundamental financial performance and sustainability of an organisation, which means cybersecurity must no longer be considered an IT issue; it’s a matter for the board in its role as custodian of shareholder value. By managing cyber risk as part of the overall organisational risk strategy, boards can put it into a commercial context and drive the cultural awareness of risk that is essential to promote cyber resilience across the business.

Making the shift from technology-centric to business-centric risk management

Elevating cyber risk management to the board level is not without challenges, however. We are still very much in the midst of a shift in mindset from a technology-centric to a business-centric view of cyber threats. This can result in a disconnect: many boards find it difficult to interpret the information they receive from the IT team, while many IT functions struggle to understand what data the board really needs to carry out effective oversight. This challenge was underlined by EY interviews that found difficulties “obtaining relevant, objective and reliable information, presented in business-centric terms…[and this] affects board members’ ability to understand the risk facing their organisations and evaluate management’s response to these risks.”

This area is where the evolving role of the CISO—sitting between the business and the board—requires a mix of skills. CISOs need both technical expertise in analysing and interpreting threat metrics and technology performance, and the ability to apply these skills in a broader business context for board directors so they can deliver strategic cyber risk oversight and governance for the business.

Reporting to the board – from numbers to narrative

While increasingly boards are factoring cyber skillsets into their succession planning when recruiting new board members, most current board directors don’t have deep experience in cybersecurity. This means that any metric-based reporting should be simple to interpret, including auditable figures that provide an overview of the organisation’s security posture.

Reports should also be framed in terms of the impacts specific security incidents have on the business. For example, a DDoS attack might cause reputational risk, operational risk and strategic risk. And, of course, the flipside of risk is compliance, so the board also needs to know how cybersecurity incidents could impact data privacy and governance.

It’s the role of the board to challenge senior management robustly in order to deliver effective oversight, so CISOs should be ready to answer questions around the organisation’s cybersecurity maturity and the frameworks established to manage emerging threats.

However, while numbers and frameworks are valuable in helping boards evaluate and audit cyber risk posture, when it comes to setting a risk-aware culture, directors really need deeper context around the types of threats specific to their organisation. If board directors are given a window into the environment, tactics, and motivational psychology of actors that target their sector and business, they can better understand the risks themselves. Once that has been achieved, board directors can become an asset to the CISO in promoting a cyber risk-aware culture not just as a tick-box exercise, but because they have genuine appreciation of the factors, and indeed actors, in play.

To achieve this board-level buy-in, CISOs need to move from numbers to narrative to drive the message home. This is where business risk intelligence provides the context that helps bring risk to life.

It’s undoubtedly useful for senior leaders to understand the frequency and type of the cyber-attacks the business experiences, but it’s also valuable for them to know the extent to which the organisation is the topic of conversation in the illicit online communities that initiate those attacks.

Deep and dark web forums, chat services, and other platforms are often where cybercriminals discuss tactics to defraud or infiltrate the organisation. These types of venues are also where company secrets, intellectual property, and stolen data may be offered for sale. An overview of the company’s profile across the deep and dark web, as well as other illicit online communities, and the kinds of tactics that are being discussed, is a powerful way CISOs can help directors gain context to understand what the business faces.

Illustrating third-party risk

Third-party risk, including supply chain weaknesses, is a hot topic among board rooms as businesses realise that keeping their own house in order is not enough. Intelligence gleaned from illicit online communities can also be used to illustrate potential weaknesses in, or threats to, partner organisations. This intelligence can help boards meet objectives to manage supply chain risk.

Successful cyber risk oversight by company boards relies on them receiving a combination of auditable metrics, risk impact assessments and contextual information enabling them to provide informed oversight of cyber risk. Greater understanding of the threat actor environment also assists boards in leading a risk-aware culture across the business, moving from a tick-box approach to a genuine cultural shift.

FacebookTweetLinkedIn
Share4TweetShare
Previous Post

Number Of Malicious Mobile Banker Packages Circulating Online Grew By 58% In Q1 2019.

Next Post

One Year Down: GDPR By The Numbers.

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information