5 Common Mistakes Made with IT and Cyber Risk Assessments

5 Common Mistakes Made with IT and Cyber Risk Assessments

IT and Cyber Risk Assessments

Organisations must regularly conduct cyber risk assessments to test their preparedness for cyber threats and ensure they have the best possible remediation strategies. 

But not all cyber risk assessments are created equal.  

Why cyber risk assessments sometimes fail to deliver 

A regular cyber risk assessment process usually boils down to just a few major steps: 

#1 Identification of: 

  • Assets – Includes servers, sensitive data, contact information, users – anything that might derail the organisation if it would be attacked or inoperational. 
  • Threats – Natural disasters, human error, system issues, malicious attacks – anything that can cause an outage of operations and services.
  • Vulnerabilities – Current weaknesses that are revealed through vulnerability repositories, security analysis, penetration tests, vulnerability scanners, and others.

#2 Analysis – Assessing the already existing control and how they fare against possible threats and vulnerabilities. 

#3 Risk Assessment – Determining how likely it is for a specific incident to happen, and how much of an impact it would have with the current controls and strategies. 

#4 Remediation – Prioritisation of identified security risks and determining adequate controls to mitigate risk for each.

There’s a notion that cyber risk assessments do not do much in terms of protecting the organisation against cyber threats, but in reality, the assessment isn’t the problem – it’s how it’s conducted. 

Common Mistakes Made During IT and Cyber Risk Assessments

When the above steps are not taken correctly, major risks could go undetected. Usually, the mistakes that happen are: 

#1 Going alone and not involving other teams

Nowadays, cybersecurity concerns everyone – from IT to CSO, CISO, CTO, and to all board members, as it has such a huge impact on the organisation when security is compromised. Therefore, everyone needs to collaborate during cyber risk assessments; otherwise, a huge chunk of data will be missing.

Check out our article on collaborating together here: https://www.boardish.io/unite-it-with-compliance-ciso-dpo-cio/ 

#2 Not quantifying impact effectively

The board can’t do much with terms like “low risk” and “high risk.” For them, the financial impact is the most important factor – knowing how much money they could lose (or save) in the long term. 

Without quantifying impact, you can’t give them the full picture. When you can show them they would suffer multi-million losses after a data breach that’s identified as a high-risk threat, it will be much easier to secure $45,000 for threat mitigation! 

#3 Too much focus on the perimeter 

Organisations tend to test their perimeter against threats but forget all about internal security policies. Oftentimes, data loss and breach happen due to lack of access control inside the perimeter. 

Internal security strategies on how is data shared, who has access to sensitive documents, and what happens if they are accessed from BYOD devices must be part of the cyber risk assessment too.  

#4 Ignoring weak spots: vendors and business partners

Many cyber risk assessments don’t look extensively outside of their organisation yet grant access to sensitive data to third parties, which are often the point of entry for security breaches. 

Are you making sure your partners are taking care of their cybersecurity as much as you do? Have you fortified or put mitigation in place if they are breached? 

#5 Relying solely on industry averages

While something might be considered a low-risk for your industry, your particular organisation might be at high-risk because there are no good controls in place. 

Risk assessments must always be conducted specifically for the company, using their numbers and values, and implemented controls. That’s the only way to get quantifiable data that is relevant and specific to your  organisation.

A proactive and collaborative approach towards cybersecurity

Keeping your organisation safe against security threats requires a more proactive approach than simply having a security strategy and security software in place. Cyber risk assessments, when done correctly, help identify weak spots and remediate them effectively. 

Convert your risk assessment into financial figures

Maintain control over solution effeciency! 

How to Quantify Cyber Threats as a CISO in 2020

How to Quantify Cyber Threats as a CISO in 2020

The recently released Internet Organised Crime Threat Assessment (IOCTA) for 2019 by Europol shows that the threat landscape has matured, and key threats have grown in persistence and tenacity. 

The report confirms that destructive ransomware threat remains high. Phishing, spear-phishing, and vulnerable remote desktop protocols have been identified as the primary infection vectors. 

Such a threat landscape requires continuous efforts in the identification of main cyber threats to the organization and how much damage they can do. 

CISOs need to be prepared for 2020 and coordinate their security efforts with the board and their company goals. 

Communicating cyber threats in the board’s language—exact figures and business impact—requires a way to quantify these threats. 

To quantify these cyber threats, CISOs require greater access to the organization’s key financial data and other indicators.   

#1 Identifying the biggest threats and their financial impact on the company 

Identification of the largest cyber threats seems to be the biggest hurdle in presenting cyber risk and exposure, mainly due to the fragmentation of digital solutions in organizations.

According to Deloitte’s Future of Cyber Survey, 41% of CISOs state that Shadow IT presents the most challenging aspect of cybersecurity management in the organization, followed closely by  37% of CISO stating cyber transformation presents a large challenge.

Shadow IT makes it challenging to quantify cyber risk, as there is no overview of all systems. This makes it next to impossible to get a good snapshot of organizational cyber maturity or security posture. 

When the departments integrate digital solutions on their own, there is no alignment of IT with critical business goals. 

How does it relate to quantifying cyber threats? 

The board requires a good overview of the maximum potential threat so they can make the right risk assessments. Getting ShadowIT under control is the primary objective to be able to deliver such assessments. 

Simply saying the largest cyber risk (such as data leakage or breach) will cost the company millions, destroy it, or have far-reaching consequences is not enough anymore. 

How much would the cyber incident cost if left as is? 

How much would your solution cost? 

How much exposure would remain after implementing the solution? 

Would your solution be a sound decision, from a financial standpoint?

Speak in actual numbers that affect the company, not industry averages.

 

#2 Getting access to the company turnover figures

Back in the day, CTOs and sysadmins, as they were called in smaller companies, had nothing to do with turnover figures or any type of financial statements outside of the realm of IT. Times have changed, and nowadays, cybersecurity is an integral part of every company. 

With digital systems running in every department, the CISO requires a full overview of each of them to devise a data and information security strategy that will minimise risk and make the organisation more resilient to threats. 

How does it relate to quantifying cyber threats? 

Nowadays, CISOs must have access to company turnover figures in order to be able to quantify risk in terms that the board will understand. If the board wants to talk about cyber threat risk figures, you must show them how cyber threats will affect the organisation’s turnover. 

The profit/loss reports would give better insight, but these are impossible to get if you’re not in a directorial position. Instead, focus on getting company turnover numbers to build your case.

 

#3 Presenting the impact of technology issues on employees 

To get a clearer picture of how a cybersecurity incident will affect employees, it’s best to separate users as high, medium, and low impact. 

Technology issues won’t affect all users in the company in the same manner. 

Some will experience only mild inconveniences but be able to continue working. 

Some won’t be affected at all.

Some, however, won’t be able to do a single thing until the issue is resolved. 

How does this relate to quantifying cyber threats? 

Quantifying the impact of cyber risk depends heavily on how your operations will take a blow. When you have a clear picture of how dependent your users are on technology, you will be able to calculate the impact. 

If users can’t do their job at all—high impact users—it means their operations are standing still, which makes the risk and its cost greater. 

If users aren’t that affected, the cost will be lower too.

 

#4 Presenting the financial impact of “downtime” on the company’s salaries 

The amount of high, medium, and low impact users determines more than just the extent of the impact. It also shows how much downtime will cost in terms of salaries—how much it will cost the organization that these employees won’t be able to work. 

How does this relate to quantifying cyber threats? 

Even if employees can’t work because of the security incident that needs to be resolved, they will still get their salary for the day. How much will this add to the total cost of the security incident? 

You don’t need exact figures for every possible employee you hire, of course, but having an idea of salary averages will help you determine this cost. 

To get some idea on salary figures, ask the CFO or somebody in the financial department. You might even want to use external resources that can give you averages, such as Glassdoor.

 

#5 Determining the financial impact of “downtime” on the company’s sales 

Most of the time, cybersecurity incidents have the greatest impact on company sales, since the sales processes are heavily dependent on technology. Your e-commerce stores won’t bring you any sales if the servers are under attack or if payment processing is down. 

How does this relate to quantifying cyber threats? 

While sales aren’t your responsibility, the impact of cyber threats on sales falls within your role. CISOs have the responsibility to communicate the impact of cyber threats on sales and present the costs of worst-case scenarios. 

How many turnover days will the company lose in case of threat X? 

Within each turnover days, what percentage of sales will go down the drain? 

What is the chance of losing market positioning in case of threat X?

To provide relevant numbers, you must include the Sales team, and any other team related to sales to give you the required information on how market positioning and sales will be affected in worst-case scenarios.

 

What is the financial impact of IT regulations? 

Information and data are top targets of cyberattacks, and all companies are under strict regulations on how to protect it, no matter what industry you are in. 

Take GDPR as an example—the data protection act lists extremely high fines for companies that do not take necessary measures when it comes to personally identifiable information (PII). 

How does this relate to quantifying cyber threats? 

CISOs must quantify the impact of all regulations pertaining to the company in case of worst-case scenarios. The GDPR, for example, has extremely high fines. Depending on which is greater, the company might face fines of 20 million euros or 4% of its annual revenue in case of a data breach and must be included into the potential financial impact of cyber threats. 

Most companies won’t stand a chance of recovery from such high fines.

 

What is the efficiency of my solutions against the biggest cyber threats? 

After presenting cyber threats that are most likely to affect the company, CISOs must also present the solution. To sell the solution, you must quantify them too—their immediate and annual costs, in comparison to the costs of the threat they are solving. 

In addition, there is also the efficiency factor of the solution—how much of the risk will it mitigate, and how much exposure would remain? 

The efficiency of the solution depends on the threat type and environment. Is it prem? Is it in the cloud? 

There are very few scenarios where a cyber solution will have 100% efficiency so decision-makers need to see the exposure left and weigh up the risk factor themselves. 

How does this relate to quantifying cyber threats? 

The reason why CISOs must quantify cyber threats is to put the costs in perspective when compared to the costs of efficient solutions. 

Solution efficiency and cost help them justify investments that will improve the company’s resilience and overall security posture. 

It is likely that CISOs will have more than one solution to mitigating the biggest threats, with each of them having different efficiency depending on the environment. 

Showing the summed up costs of solutions versus the cost of a security incident without solutions will help the board understand just how much a security incident can set the company back.

 

Conclusion: 

For 2020, CISOs must answer critical business questions clearly and speak in exact figures. They must quantify cyber threats and present solutions in terms of how they help maintain critical business strategy and operations. 

With Boardish – boardish.io – CISOs will have access to a tool that helps them quantify cyber threats quickly, without having to deploy anything on-premise or grant access to their systems. 

CISOs must work together with all departments and get all relevant information to present real threats in real numbers. 

Boardish can help them create a snapshot of their company and help them run scenarios of different threats and their financial and market impact. 

Let 2020 be the year of real numbers!

Quantify Cyber Threats & Solutions

And get your IT budget approved quicker!

Boardish Signs a Service Partnership with Global Risk Management and Advisory Firm Jeanensis

Boardish Signs a Service Partnership with Global Risk Management and Advisory Firm Jeanensis

jeanensis announcement

Boardish is continuing to broaden its network of partnerships, with its latest global service partner being Jeanensis – one of the leading global risk management and advisory firms based in New York.

Having three distinct branches – the Jeanensis Research and Intelligence, Jeanensis Capital Markets, and Jeanensis Advisory Partners. Jeanensis LLC focuses on providing risk advisory, research, and intelligence and capital markets services to forward-thinking clients. Their mission being to provide insight, guidance, and commitment to each of their clients.

They focus on the fast-developing industries of fintech, regtech, AI, blockchain, innovation, and technology. As well as providing advisory services to investment capitalists, mid-market firms, and multi-nationals from those industries.

The new partnership with Boardish brings unprecedented capabilities to the table for both partners: Jeanensis will now have a new toolkit at their disposal, one that enables actual risk quantification, making communication and presentation of risk and opportunity to their clients much easier. Putting them at the forefront against competitors, whilst Boardish gets more insight into the latest developments sweeping through tech industries, helping them improve and tweak their product even more, and giving more insights for their monthly report offering.

With this partnership, Jeanensis clients will now have access to actual numbers for each risk and solution, improving communication and making decision-making much faster.

Want to become a Boardish service partner? – Check out here: https://www.boardish.io/service-partners-resellers/

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

Boardish Signs New Service Partnership with Women’s Powerhouse Firm Tiisa Group

Boardish Signs New Service Partnership with Women’s Powerhouse Firm Tiisa Group

tiisa and boardish partnership announcement

One of the guiding philosophies at Boardish is to make the CISO’s lives easier and allow organizations to make informed decisions on risk using quantification into financial figures.

Boardish’s latest partnership is with the ground-breaking risk-management firm Tiisa Group, a women-led powerhouse in Africa playing in a mostly male industry. Tiisa Group aims to solidify its client’s security with risk management and governance services to strengthen business activities whilst providing practical solutions.

The new Boardish service partnership allows Tiisa Group to enhance their offering to their clients, by not only providing risk management but the next step as well. Risk quantification. For Boardish, the Tiisa Group is an excellent opportunity to share and expand its methodology and toolkit into Africa, widening its reach.

Boardish co-founder Eli Migdal says, “we’re really excited to have the opportunity to work with the Tiisa Group and extend our collaboration with leading risk management organizations further”

Tiisa Group Director Denise Nel echoed Eli’s sentiment by saying, “we are excited about the value that Boardish adds to the Cyber conversation at senior management and board level. Finally, a tool that provides tangible quantified insights into the cyber risk exposure and where to prioritise mitigation.”

The new partnership opens a pathway for both parties, as they can now provide new and improved services to both prospective and existing clients.

Want to become a Boardish service partner? – Check out here: https://www.boardish.io/service-partners-resellers/

 

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

Rebuilding Your IT Budget After COVID-19

Rebuilding Your IT Budget After COVID-19

The COVID-19 pandemic shows just how hard it is to prepare for major business disruptions. Nobody expected a global pandemic to throw off so many businesses and many have not properly quantified the risks of being affected long-term in such an event.  

Lots of businesses have had very little time to prepare for the impact, with business continuity plans not including the scenario. Crisis management now revolves around abandoning budgets completely and cutting expenses wherever possible just to try to stay afloat.

Unfortunately, this means that every expenditure and every budget from major functions are being scrutinized, cut down, or removed completely.

Moving away from reacting

This approach is to be expected as businesses have had no other choice but to go for what many would describe as a knee-jerk reaction to COVID-19.

But now, in the middle of the crisis, businesses need to make time to move away from the reactive approach and work on long-term pandemic mitigation strategies if they want to stay viable.

Pivoting quickly is the name of the game and that includes reevaluating expenditures, impact, and short or long-term goals amidst this novel crisis.

Getting the priorities straight

The number one priority is to keep the business viable. For most, this means accelerating the digital transformation, enabling employees to work from home and offering services online.

As an IT and cyber professional, you’ll need a way to show the board the impact the COVID-19 crisis has on business technology, how it affects employees, the impact of downtime, new regulations, and how your solutions can help mitigate negative effects.

You need a way to make it abundantly clear what parts of the IT budget are needed for keeping all essential services and functions and making a move towards digitization and business functions.

For all of this to be justifiable in times when boards have taken a cutthroat stance towards most expenditures, you need to quantify everything single IT expense right now.

Remember, the board is now looking to take away anything they deem unnecessary, so don’t go for any type of “nice to have” things in the IT budget – you need to rebuild the budget according to the current crisis and make a good case for the crucial “staying in business” expenses right now.

Boardish helps you rebuild your IT budget

As a tool that can quantify different cyber and technological events and regulatory changes, Boardish helps you present what really matters to the board right now – solutions that will keep the business running throughout the crisis and which options will mitigate the impact on the business the most.

With most employees staying home, the business will need a robust platform that will enable them to connect from home and work efficiently, but at the same time mitigate any risk of cyberattacks when connecting this way.

Maybe the organization is not ready to implement such a system now, but the alternative – not working for a while – is actually worse than they think, or is it? You can quantify whether it’s better to ‘hibernate’ or ‘push forward’ using financial figures.

With Boardish, you can show the board the impact on the bottom line in case employees can’t work from home at all, versus working from home with different platforms and solutions that can help keep the operations running.

While implementation in the middle of the crisis sounds like something the board would never agree to, with the numbers for your specific business to back you up, you can show them that stopping operations or even letting people go will cost them more in the long run can make it harder after the crisis is over.

With real figures to back you up, you’ll be able to make a solid case in front of the board and ensure your IT budget can support the business and operations through these uncertain times.

Boardish started as and always will be an IT budgeting tool that helps gain immediate clarity. Rebuilding the budget is much easier when you can quantify everything and speak in financial figures instead of just labelling risk as low, mid or high.

White label BI

Start Rebuilding Today

We’re well aware that right now you can’t invest in anything that’s not considered absolutely crucial to keeping the business running.

Because of that, you can use all of the Boardish features for free for the next 2 months during the COVID-19 pandemic, in order to get the clarity you need.

It’s time to put these new risks into actual numbers and bridge that communications gap with the board.

Rebuild your IT budget

And explain essentials vs non-essentials to decision-makers

Making Sense of AI Cybersecurity Data for Enterprises

Making Sense of AI Cybersecurity Data for Enterprises

Making Sense of AI Cybersecurity Data for Enterprises

CISOs are facing a challenge with AI cyber data points created by software solutions used in their organisation to monitor enterprise security. So, how can they explain the AI cyber data to the executive stakeholders and help improve clarity in their decision making? 

The Problem with AI Cyber Data

Plenty of well-established risk domains, such as credit or market risk, are clear to the board because they are expressed in economic terms—revenue gain/loss, value, and operational costs. 

With cyber risk, the main issue lies in the risk calculation methods—presenting the actual organisational impact to the board is hard without financial numbers to back up claims.

Cybersecurity specialists have started using AI solutions to identify potentially malicious activities and software before they can do lasting damage. These produce tremendous amounts of AI cyber data on detected issues or threats. 

Why It Gets Complicated

AI cybersecurity data helps CISOs present a case in front of the board, but often they can only report what risks were mitigated or potential risks raised and not how much was, or could be, saved in financial terms. 

Making sense of AI cyber data becomes a challenge in itself because key components to calculate financial impact are missing. 

  • CISOs often use qualitative methods to display cyber risk, but these aren’t an accurate method to rely on in crucial decision making. They lack the means to provide a definitive prioritisation for identified risks.

To demonstrate: Risks are ranked on a low, mid, and high scale. How do you quanitfy and explain how much higher the high risk is than the medium one? How do you argue why some risks are medium instead of high?  

  • When using quantitative methods, CISOs use data and events from industry and sector to determine the risk and prioritise cybersecurity solutions. The numbers they rely on are from high-profile breaches that happened recently, with focus on those that have affected organisations similar in size, technology, and inner organisation. But this method is missing a way to demonstrate the actual economic impact on their organisation. 
  • AI solutions used to monitor the organisation are often missing key analytical capabilities. While good at detecting issues and mitigating risk, they cannot show how technology, personnel, processes, and internal policies affect the magnitude and event frequency of each risk or point towards broader systemic issues within the organisation’s security posture.   
  • AI cyber data lacks information on the impact of legal and regulatory changes to the industry. CISOs can only let the executives know that there’s been a change in regulations and that it will be affecting the organisation. Most often, this will require partnering up with the legal team to help with analysis. 

How Can CISOs Get Accurate Numbers for Cyber Risk? 

Organisations must know figures because they help them decide which risks must be addressed first, and help reduce the uncertainty when choosing risk mitigation solutions. 

Industry-wide data provides just a ballpark figure and isn’t accurate enough. 

CISOs must transform AI cybersecurity data into information the board will understand and know how to work with—this means using actual numbers and financial impact on their organisation. 

The technical data they get from AI solutions is a good start, but they must include regulatory impact and also check and validate the data from AI tools before they go to the board. This is the only way to paint a complete and accurate picture.

Instead of presenting industry events that happened or rely on past incidents, they can use tools that convert AI cyber data from their cyber solutions into actual numbers for security events related to their organisation. 

The right tools help them transform the data to financial terms that the executives will understand. This way, they will have an easier time getting approval for cybersecurity investments and defending their risk management decisions.   

More importantly, CISOs must make time to check these numbers regularly as it helps create benchmarks that are based on their data instead of wider industry data, providing the most accurate data points for decision-makers to work with.  

Using AI Cyber Data to Create a Full Picture

The changing nature of the cybersecurity environment and the regulatory framework requires frequent security posture analysis and fine-tuning areas with lacking results. This is only possible with using AI cybersecurity data related to your specific organisation and quantifying it. 

Boardish helps you get back control over AI cyber data by quantifying and validating all data before you bring it to the board. 

Get control over your AI data

Explain it in terms they understand, speak Boardish.