Either you are a CISO, a Consultant, a Pen Tester or a Cyber Focused System Administrator (I have been 3 of the 4 myself). You find yourself in a complex reality in 2019, and I presume it will only get more challenging in 2020.

Now I am warning you – I am not going to be “generic” or “Soft” in this article – I am going to hit it hard where it hurts but I think we need to address it head-on – with no buffers, as Cyber Security professionals usually do with cyber risks.

1 – Our role is not completely clear to C-Suite and Top Board level management

I know, it’s not 2010 and I think that “everyone” understands that without information security, a modern organisation can’t exist BUT, the level of clarity is still low.

From my personal experience, the CISO role is, in many cases, a “forced upon by the latest reality” role and only in a few organisations is the CISO role considered to be a proper catalyst for growth.

 

We need to ask ourselves – are we a catalyst for growth? Or is our focus to “patch / ad-hoc” that isn’t really wanted but is a MUST because the risk is too high without it?

In my opinion, we are a critical catalyst for growth – Cyber Security and Cyber Resilience are part of the core essence of any business that is reliant on technology (which is most businesses nowadays).

If the C-Suite and board members don’t see that – you need to provide them with sufficient clarity, precise clarity on our value to the organisation.

2 – Is it a real risk or a buzz word?

To quote Queen, “is this the real life, or is this just fantasy?” It’s our responsibility to differentiate between a buzz word that your C-Suite and board members will be hearing and a real threat that puts your organisation at risk.

The hardest part is with things like Zero-Day attacks, where you don’t really know the impact until you’ve “seen” or even worst “felt” it yourself.

We need resources for R&D, for reading, exploring, testing, simulating, preparing, and building resilience.

We need to know VERY QUICKLY if its a “real risk” or a buzz word and for that we need resources. Asking for resources from the C-Suite and Board is very hard when you don’t have clarity, when your potential risks are not actually quantified.

For example, let’s say you ask the Board for a 150K budget to set up a team that will:

• Investigate all new threats and test them
• See which solutions work and which don’t
• Which risks are actually dangerous for your organisation and which are not
• Run them in a duplicated sandbox of your company infrastructure and so on

How can your Board know if 150K is expensive or cheap for this type of request? On what basis are you asking them to make the assumption of a risk that has not occurred yet?

My approach is again Clarity.

You can show your current biggest risks, quantify them as specifically as you can for your organisation and then you can benchmark those worst-case risks to a potential “next worst-case” or Zero-Day attack.

3 – Selling Cyber Security is very hard

Like it or not we are all salesmen(or women). We must ‘sell’ the problem and then sell the solution and sell ourselves as the best person or team to make the problem go away by “being on top of it”.

I’ve written a dedicated article on the subject: 

How To Sell Complex Cyber Security Solutions and Packages

Now, let’s discuss solutions: 

I am all for Clarity – the C-Suite and board members NEED to see “what we see” in their language which is:

1. Risk Factors
2. Financial Impact
3. Risk Mitigation / Risk Assessment
4. Solutions

Using boardish.io, in the example above you can see it very clear in the C-Suite and board level language, we transfer cyber language into “plain” numbers!

Threat: Data Leakage

1. Total Threat Loss / Cost (The Risk Factor) – 203.87M – this is the main financial impact of the highest threat in this example list.
2. How is the Threat Cost built? – The components include Regulation Loss, Salary Loss, Sales Loss, Market Loss.
3. Solutions Contribution on-prem & in the cloud – This is the Risk Mitigation, by how much our proposed solutions mitigate the risk.
4. Exposure – The last critical part of the Risk Assessment – after we mitigate the risk – what is our remaining exposure?
5. Solutions – how many solutions are involved in risk mitigation and what is their cost?

Give your board Clarity in their language and I think, I hope, our biggest problems will be solved.

Going back to question #2 of my article – is 150K an expensive request when the biggest threat to the Organisation is is more than 200M? No ! and now you have the Clarity to prove it, with no misunderstandings about your role. 

You are the professional that is mitigating one of the biggest threats to the entire organisation.

Eli Migdal.