How to Report Effectively to the Board with Cyber Risk Quantification

by | Aug 5, 2021 | cyber leadership | 0 comments

business person behind laptop thinking

How to Report Effectively to the Board with Cyber Risk Quantification

Intro

Cybersecurity risk management is on the C-suite agenda, especially with rising breaches and soaring 2 trillion dollars spent on payouts and cybersecurity initiatives in 2020, according to estimates from McAfee

Business leaders want to know what they are up against and how much it will cost if a breach does occur – this helps with budgeting, planning, and strategizing. Cybersecurity is no longer a “nice thing to have,” but an investment. To integrate it correctly, it is imperative to quantify the financial impact of cybersecurity spend in relation to all business operations. However, CIOs and CISOs need effective tools to prove the value of cybersecurity programs and how they translate to risk. 

Use the right tools to bridge the gap between business and security

Security initiatives are associated more with business initiatives. For this reason, cybersecurity leaders must come prepared to the board room table with quantifiable data on their security risk. This begins with a comprehensive audit of the security stack.

It is easier said than done for a CIO or CISO to assess cybersecurity risks and pinpoint areas that need to be addressed. A single-point inspection begins with comparing the security stack to cybersecurity standards (NIST, ISO, COBIT). You have to know what is in your stack and how each tool or program is deployed, including any updates, features, or functionalities. This task becomes time-consuming and tedious if done manually. A CIO or CISO must have the right cyber risk quantification (CRQ) tools to first find cybersecurity blind spots. Blind spots are a gap in the stack’s ability to cover a priority control. 

Tools should do the following: 

  • Compare Stack features against Standards (NIST SP 800-53, ISO 27002, COBIT)
  • Identify gaps in coverage and overlaps that can be eliminated to reduce costs
  • Identify which tools should be used to fix cybersecurity risks and the impact on cost and coverage

CRQ begins with integrated tools that immediately identify gaps and quantify the risks associated with them. This not only presents agile, up-to-date data, but it can also mitigate a breach and aid in decisions around stack optimization and lowering costs. 

Report on cyber liability with financial context

Numbers talk, especially in front of the executive board in charge of finance and budget. Business leaders don’t focus on access controls or security frameworks. They care about the customer experience and how it affects profitability. They care about their brand and reputation, factors that impact growth. To fund cybersecurity initiatives, managing cybersecurity executives must convince them that a proposed investment in cybersecurity moves those needles – or protects them from taking a hit. 

With the green light to fund cybersecurity risk management initiatives, it is possible to fix cybersecurity risks with continuous monitoring to review, track, and prioritize items for risk mitigation. CIOs and CISOs unite teams under one umbrella with a 360-degree view of cybersecurity initiatives. With continuous monitoring, they come to board meetings with the right information to back up plans and clearly quantify their cybersecurity risk in terms everyone on the Board can understand. 

Speak the language of the board

Security leaders need to transform the technical language of cybersecurity into financial language. Instead equate cyber risk to its impact on core business metrics, including digital transformation, corporate social responsibility, and a C-suite-friendly road map. By leveraging this framework to speak the same language as the board and provide the necessary business context, CIOs and CISOs can guide strategic conversations around managing cyber risk, prioritizing new technology investments, and measuring the ROI of those investments and their impact on specific controls or programs. 

Get ahead of the next cybersecurity breach

The key to getting ahead of the next big breach is to Find, Fund, and Fix your Cybersecurity Risk Blind Spots. RedMonocle has produced an eBook detailing this innovative approach we think you’ll be excited about. Download this free resource today.

Download the eBook

Submit a Comment

Nichole Kelly

Nichole Kelly

Vice President of Growth

Nichole Kelly brings over two decades of experience in growing organizations top line and bottom line revenue. As one of the leading marketing influencers she is the author of "How to Measure Social Media" and has traveled the world teaching marketers how to build and execute ROI-driven marketing strategies at every major marketing conference. Also an entrepreneur, Kelly was also the founder of SME Digital, a digital marketing agency that was sold to Renegade Marketing.

Kelly leads an active life of service and is the founder of The Bipolar Executive blog and podcast. This project is  designed to help shift the conversation around mental illness to one of mental wellness in Corporate America. 

Kelly holds a Bachelor’s Degree in Business Administration with a minor in Marketing from Saint Leo University.

Connect on my blog The Bipolar Executive

Connect on LinkedIn

Chris Schroeder

Vice President of Engineering, Co-Founder

Chris Schroeder has over 25 years of experience in large complex IT environments from the Fortune 500 to the federal government. Chris has an extensive technology background in mobility, infrastructure operations, and data analytics. Schroeder is a seasoned entrepreneur and co-founder of App47 and the Vice President of Engineering and co-founder of RealOps (sold to BMC).

Chris is an active volunteer in his community coaching boys and girls lacrosse, supporting high school STEM programs, and serving on the Pastoral Council. 

Schroeder holds a Bachelor’s Degree in Computer Science from Radford University and a Masters Degree in Technology Engineering from George Washington University.

Connect on LinkedIn

Sean McDermott

President & CEO, Founder

Sean McDermott’s curiosity for advancing technology began at his first job as a network engineer/architect installing and managing the first private internet for the U.S. Department of Justice. At a time when the internet was just taking off, McDermott was at the forefront and has continued to be on the cutting edge of technology leading Fortune 500 companies through the dot-com bust, 9/11 and the 2008 recession. Sean has over three decades of experience working with CIOs in the Fortune 500 to trail blaze innovation and protect the IT infrastructure of the largest commercial and federal organizations in the world. 

McDermott is a mission-driven, serial entrepreneur who founded Windward Consulting Group, RealOps, Inc. (sold to BMC), App47 and RedMonocle. He is also the founder of the Windward Foundation and Alzheimer’s Caregiver Alliance, an organization dedicated to easing the burden of caregiving for individuals and families touched by Alzheimer’s disease.

McDermott is a member of the Forbes Tech Council and has been featured in Security Boulevard, TechRepublic, IT Visionaries, APM Digest, Inside BigData, DevPro Journal, IT Toolbox and more. He  holds a Bachelor’s Degree in Electrical Engineering from Villanova University and a Masters in Engineering Management from The Catholic University of America. 

Connect on my blog Wheels up World 

Connect on LinkedIn

.