In uncertain times, CISOs have a golden opportunity

Hackers are targeting everyone and taking advantage of fear, uncertainty, and a 24/7 news cycle that can dwell on a single theme for weeks on end. The victim pool includes everyone from the global remote workforce (some working in industries that didn’t know remote work was even feasible), to essential workers in labs working on vaccines or treatment plans for COVID-19.

According to Microsoft, phishing and social engineering attacks have jumped to 30,000 a day, and extremely sophisticated levels of ransomware attacks are up 800%. Ransomware’s latest tactic is a conversion to doxware. Attackers steal company data before encrypting it and threaten to reveal that your organization has been hacked and that sensitive customer data has been compromised. So even if you have backups and don’t pay the hackers, your reputation is still at risk.

As ransomware attacks become more frequent, IT and information security leaders often end up pointing fingers at each other after a cyber-attack. And there are many fingers in the room, adding to the chaos, trying to avoid responsibility, and deflecting ownership of the problem to other stakeholders.

The CISO has the biggest finger, but should point carefully

A recent WSJ article talked about how CISOs are now being elevated to corporate leadership roles. We are currently witnessing a growing epidemic of cyber risk. Today more than ever, CISOs can use their influence to do more than just drive technological change by piercing the silos across the enterprise.

But it’s going to take a completely different method of communicating. The outcome must be seen much faster and it must clearly demonstrate greater cyber maturity and resilience in such a way that it can’t be disputed. In a nutshell, this means that cybersecurity must be spoken about in business terms, in dollars and cents, not bits and bytes.

This has often not been the case. Before the pandemic, it wasn’t unusual for a CISO to walk into a CFO’s office and have a budget conversation with a color quadrant of red, yellow, and green. Security vulnerabilities in red needed the most attention and would require immediate investment. Success would mean having less red and yellow on the chart. Vying for this type of security progress through vague risk reduction was enough to get approval for the latest technology and address control deficiencies and alleviate other impending threats.

The days of vague cyber plans and investments are over

In June, the International Monetary Fund forecasted that the global GDP will suffer a 4.9 percent contraction this year.

American credit rating agency Fitch Ratings announced that the number of defaults in the first five months exceeded the total for 2019 and that the pandemic fallout will erase $5 trillion more. There is no doubt that budgets will be more closely scrutinized in this global contraction. In 2020 and beyond, an entire cybersecurity program must answer the critical question: “Can you put a number on this technology investment?”

Choose the right tools

In order to validate cyber investment with a cyber budget holder, one must first understand cyber event types the organization may face and the range of business assets and operations in question.

Conversations around cyber risk management are often centered around estimating both the probability and impact of a risk event. Using cyber risk analysis centered around probability is alluring because we all want to know the future. When you can predict your cyber future, it becomes very easy to prioritize what risks require more attention. So, considering that most organizations have limited resources, one magic number can give leaders confidence in how their cybersecurity programs are optimized and make them look good to leadership across the enterprise. It seems like a good approach now with shrinking budgets.

However, it’s not enough.

A focus on probability can be misleading and even perilous for analyzing high-impact low-frequency events, such as a large data breach or data destruction event. The tools a leader chooses should look at the big picture in a collaborative and flexible manner that includes input from the entire enterprise. This will allow decisions to be made faster and more accurately.

I’d recommend an approach to cyber risk investment grounded in financial impact analysis, that allows leaders from every business unit to weigh in on what operations and outcomes the company needs to prioritize and determine plausible cyber incidents that could disrupt business operations and their assets.

These financial impacts help inform business decisions such as insurance purchases, investing in controls and more. These costs should be categorized depending on who is affected (and what type of impact it is). And the company should be able to optimize the entire portfolio of controls by playing out how changing one or more controls will impact their exposure. With this kind of methodology, a CISO can quickly determine if it’s cheaper to implement a control or buy insurance or put a number on impact (and sleep better at night if it’s relatively low).

CISOs now have a golden opportunity to take advantage of their publicity and show the organization (and the world) that even in times of uncertainty, cybersecurity investment can be managed quickly and bring a much-needed structure in these times.