Either you are a CISO, a Consultant, a Pen Tester or a Cyber Focused System Administrator (I have been 3 of the 4 myself). You find yourself in a complex reality in 2019, and I presume it will only get more challenging in 2020.
Now I am warning you – I am not going to be “generic” or “Soft” in this article – I am going to hit it hard where it hurts but I think we need to address it head-on – with no buffers, as Cyber Security professionals usually do with cyber risks.
I know, it’s not 2010 and I think that “everyone” understands that without information security, a modern organisation can’t exist BUT, the level of clarity is still low.
From my personal experience, the CISO role is, in many cases, a “forced upon by the latest reality” role and only in a few organisations is the CISO role considered to be a proper catalyst for growth.
We need to ask ourselves – are we a catalyst for growth? Or is our focus to “patch / ad-hoc” that isn’t really wanted but is a MUST because the risk is too high without it?
In my opinion, we are a critical catalyst for growth – Cyber Security and Cyber Resilience are part of the core essence of any business that is reliant on technology (which is most businesses nowadays).
If the C-Suite and board members don’t see that – you need to provide them with sufficient clarity, precise clarity on our value to the organisation.
To quote Queen, “is this the real life, or is this just fantasy?” It’s our responsibility to differentiate between a buzz word that your C-Suite and board members will be hearing and a real threat that puts your organisation at risk.
The hardest part is with things like Zero-Day attacks, where you don’t really know the impact until you’ve “seen” or even worst “felt” it yourself.
We need resources for R&D, for reading, exploring, testing, simulating, preparing, and building resilience.
We need to know VERY QUICKLY if its a “real risk” or a buzz word and for that we need resources. Asking for resources from the C-Suite and Board is very hard when you don’t have clarity, when your potential risks are not actually quantified.
For example, let’s say you ask the Board for a 150K budget to set up a team that will:
How can your Board know if 150K is expensive or cheap for this type of request? On what basis are you asking them to make the assumption of a risk that has not occurred yet?
My approach is again Clarity.
You can show your current biggest risks, quantify them as specifically as you can for your organisation and then you can benchmark those worst-case risks to a potential “next worst-case” or Zero-Day attack.
Like it or not we are all salesmen(or women). We must ‘sell’ the problem and then sell the solution and sell ourselves as the best person or team to make the problem go away by “being on top of it”.
I’ve written a dedicated article on the subject:
Now, let’s discuss solutions:
I am all for Clarity – the C-Suite and board members NEED to see “what we see” in their language which is:
Using www.boardish.io, in the example above you can see it very clear in the C-Suite and board level language, we transfer cyber language into “plain” numbers!
Threat: Data Leakage
Give your board Clarity in their language and I think, I hope, our biggest problems will be solved.
Going back to question #2 of my article – is 150K an expensive request when the biggest threat to the Organisation is is more than 200M? No ! and now you have the Clarity to prove it, with no misunderstandings about your role. You are the professional that is mitigating one of the biggest threats to the entire organisation.
Explain why/how your solutions work, to a non-techy audience.