How to Quantify Cyber Threats as a CISO in 2020

How to Quantify Cyber Threats as a CISO in 2020

The recently released Internet Organised Crime Threat Assessment (IOCTA) for 2019 by Europol shows that the threat landscape has matured, and key threats have grown in persistence and tenacity. 

The report confirms that destructive ransomware threat remains high. Phishing, spear-phishing, and vulnerable remote desktop protocols have been identified as the primary infection vectors. 

Such a threat landscape requires continuous efforts in the identification of main cyber threats to the organization and how much damage they can do. 

CISOs need to be prepared for 2020 and coordinate their security efforts with the board and their company goals. 

Communicating cyber threats in the board’s language—exact figures and business impact—requires a way to quantify these threats. 

To quantify these cyber threats, CISOs require greater access to the organization’s key financial data and other indicators.   

#1 Identifying the biggest threats and their financial impact on the company 

Identification of the largest cyber threats seems to be the biggest hurdle in presenting cyber risk and exposure, mainly due to the fragmentation of digital solutions in organizations.

According to Deloitte’s Future of Cyber Survey, 41% of CISOs state that Shadow IT presents the most challenging aspect of cybersecurity management in the organization, followed closely by  37% of CISO stating cyber transformation presents a large challenge.

Shadow IT makes it challenging to quantify cyber risk, as there is no overview of all systems. This makes it next to impossible to get a good snapshot of organizational cyber maturity or security posture. 

When the departments integrate digital solutions on their own, there is no alignment of IT with critical business goals. 

How does it relate to quantifying cyber threats? 

The board requires a good overview of the maximum potential threat so they can make the right risk assessments. Getting ShadowIT under control is the primary objective to be able to deliver such assessments. 

Simply saying the largest cyber risk (such as data leakage or breach) will cost the company millions, destroy it, or have far-reaching consequences is not enough anymore. 

How much would the cyber incident cost if left as is? 

How much would your solution cost? 

How much exposure would remain after implementing the solution? 

Would your solution be a sound decision, from a financial standpoint?

Speak in actual numbers that affect the company, not industry averages.

 

#2 Getting access to the company turnover figures

Back in the day, CTOs and sysadmins, as they were called in smaller companies, had nothing to do with turnover figures or any type of financial statements outside of the realm of IT. Times have changed, and nowadays, cybersecurity is an integral part of every company. 

With digital systems running in every department, the CISO requires a full overview of each of them to devise a data and information security strategy that will minimise risk and make the organisation more resilient to threats. 

How does it relate to quantifying cyber threats? 

Nowadays, CISOs must have access to company turnover figures in order to be able to quantify risk in terms that the board will understand. If the board wants to talk about cyber threat risk figures, you must show them how cyber threats will affect the organisation’s turnover. 

The profit/loss reports would give better insight, but these are impossible to get if you’re not in a directorial position. Instead, focus on getting company turnover numbers to build your case.

 

#3 Presenting the impact of technology issues on employees 

To get a clearer picture of how a cybersecurity incident will affect employees, it’s best to separate users as high, medium, and low impact. 

Technology issues won’t affect all users in the company in the same manner. 

Some will experience only mild inconveniences but be able to continue working. 

Some won’t be affected at all.

Some, however, won’t be able to do a single thing until the issue is resolved. 

How does this relate to quantifying cyber threats? 

Quantifying the impact of cyber risk depends heavily on how your operations will take a blow. When you have a clear picture of how dependent your users are on technology, you will be able to calculate the impact. 

If users can’t do their job at all—high impact users—it means their operations are standing still, which makes the risk and its cost greater. 

If users aren’t that affected, the cost will be lower too.

 

#4 Presenting the financial impact of “downtime” on the company’s salaries 

The amount of high, medium, and low impact users determines more than just the extent of the impact. It also shows how much downtime will cost in terms of salaries—how much it will cost the organization that these employees won’t be able to work. 

How does this relate to quantifying cyber threats? 

Even if employees can’t work because of the security incident that needs to be resolved, they will still get their salary for the day. How much will this add to the total cost of the security incident? 

You don’t need exact figures for every possible employee you hire, of course, but having an idea of salary averages will help you determine this cost. 

To get some idea on salary figures, ask the CFO or somebody in the financial department. You might even want to use external resources that can give you averages, such as Glassdoor.

 

#5 Determining the financial impact of “downtime” on the company’s sales 

Most of the time, cybersecurity incidents have the greatest impact on company sales, since the sales processes are heavily dependent on technology. Your e-commerce stores won’t bring you any sales if the servers are under attack or if payment processing is down. 

How does this relate to quantifying cyber threats? 

While sales aren’t your responsibility, the impact of cyber threats on sales falls within your role. CISOs have the responsibility to communicate the impact of cyber threats on sales and present the costs of worst-case scenarios. 

How many turnover days will the company lose in case of threat X? 

Within each turnover days, what percentage of sales will go down the drain? 

What is the chance of losing market positioning in case of threat X?

To provide relevant numbers, you must include the Sales team, and any other team related to sales to give you the required information on how market positioning and sales will be affected in worst-case scenarios.

 

What is the financial impact of IT regulations? 

Information and data are top targets of cyberattacks, and all companies are under strict regulations on how to protect it, no matter what industry you are in. 

Take GDPR as an example—the data protection act lists extremely high fines for companies that do not take necessary measures when it comes to personally identifiable information (PII). 

How does this relate to quantifying cyber threats? 

CISOs must quantify the impact of all regulations pertaining to the company in case of worst-case scenarios. The GDPR, for example, has extremely high fines. Depending on which is greater, the company might face fines of 20 million euros or 4% of its annual revenue in case of a data breach and must be included into the potential financial impact of cyber threats. 

Most companies won’t stand a chance of recovery from such high fines.

 

What is the efficiency of my solutions against the biggest cyber threats? 

After presenting cyber threats that are most likely to affect the company, CISOs must also present the solution. To sell the solution, you must quantify them too—their immediate and annual costs, in comparison to the costs of the threat they are solving. 

In addition, there is also the efficiency factor of the solution—how much of the risk will it mitigate, and how much exposure would remain? 

The efficiency of the solution depends on the threat type and environment. Is it prem? Is it in the cloud? 

There are very few scenarios where a cyber solution will have 100% efficiency so decision-makers need to see the exposure left and weigh up the risk factor themselves. 

How does this relate to quantifying cyber threats? 

The reason why CISOs must quantify cyber threats is to put the costs in perspective when compared to the costs of efficient solutions. 

Solution efficiency and cost help them justify investments that will improve the company’s resilience and overall security posture. 

It is likely that CISOs will have more than one solution to mitigating the biggest threats, with each of them having different efficiency depending on the environment. 

Showing the summed up costs of solutions versus the cost of a security incident without solutions will help the board understand just how much a security incident can set the company back.

 

Conclusion: 

For 2020, CISOs must answer critical business questions clearly and speak in exact figures. They must quantify cyber threats and present solutions in terms of how they help maintain critical business strategy and operations. 

With Boardish – boardish.io – CISOs will have access to a tool that helps them quantify cyber threats quickly, without having to deploy anything on-premise or grant access to their systems. 

CISOs must work together with all departments and get all relevant information to present real threats in real numbers. 

Boardish can help them create a snapshot of their company and help them run scenarios of different threats and their financial and market impact. 

Let 2020 be the year of real numbers!

Quantify Cyber Threats & Solutions

And get your IT budget approved quicker!

Why Small and Medium-Sized Organizations Are Struggling More With IT & Cyber Budgeting Than Enterprises

Why Small and Medium-Sized Organizations Are Struggling More With IT & Cyber Budgeting Than Enterprises

There is a very obvious trend that we see in our BOARDISH ecosystem from speaking with our clients and business partners

Small and Medium-size companies are “struggling” much more during the IT & Cyber budget approval process.

For small & medium size organizations, we see the following recurring feedback during IT & Cyber budgets:

  • The length of the budget approval process is between 3-4 times longer on average than in larger organizations.
  • There is not a clear owner for this process. Sometimes it comes from the CTO, CIO, IT Manager, CISO, and in some cases, the process is pushed from the CFO.
  • The “budget process” is deemed as, and I am quoting “extremely complicated”.

In bigger organizations, we still hear feedback about “complexity” and “Length of process” but in reality, the actual process is much more clear and the length of the process is shorter.

We wanted to find a clear causality for this difference. Initially we thought that larger organizations have more moving parts and more roles so the process must be more complex but in reality the process is structured much better in larger organisations with clear role designation.

We have spoken with many clients and also with our business partners and we are confident that we found that causality.

The most impactful differentiator is the use of “Risk Professionals”.

  • Large organizations are understanding that you can’t budget effectively or get approval from decision-makers without incorporating ‘risk and risk quantification’ into the IT and & Cyber budgeting equation. You need to prove the ‘why’ of solutions and what financial impact on the company you are preventing with these costs.
  • Large organizations have much better ACCESS to Risk Professionals and many even have internal roles including CIRO, or ongoing consultants and consultancy retainers. They also have access to enterprise-level resources and tools to help them with risk, and finding solutions.

But …. what makes Risk Professionals so efficient in the Budgeting process?

Risk Professionals are EXPECTED by the management to be the “Translator between IT & Cyber to Decision Making language”, this is the first CRITICAL step in joining IT & Cyber with the Board so they speak the same language.

It is clear that in most organizations IT & Cyber do not talk the same language as the Decision Makers ( Board & C-suite etc.) and without bridging this gap – the budget process is very messy.

When Risk Professionals are involved in the IT & Cyber budget process we see the following advantages:

  • Much clearer responsibilities are laid out in “who should do what” in the Budget process.
  • Budget requests are combined and presented with the Risk factor of the threats you are trying to mitigate.
  • The entire process becomes less “Messy” because usually, Risk Professionals are very efficient in “structuring” the entire process and manage the process much more efficiently. Many of the Risk Professionals also use Risk Management tools which help even more.

Is “Showing Risk” enough to get quick decision making?

No.

It’s about HOW MUCH money that risk is going to cost the company. That’s what the board and C-suite are basing their decisions on. Risk and money.

Which is why Risk Quantification is a mandatory piece of the puzzle for getting quick budget approvals!

With Boardish we have noticed that Risk Professionals are the most efficient adaptors of the Boardish methodology and application needing barely any ‘onboarding resources.’ They just get it, because they are already battling risk quantification and expected by management to clearly help with decision-making.

So what is our advice for Small and Medium organizations?

Use Risk and quantification in your IT & Cyber Budget process

  • Even a basic 4-5 days of Risk consulting will usually get you the required structure you need to set you on the track to do it yourself.
  • Work with Risk Professionals who are already using Risk Management tools that for you a small organization it will likely be too costly to purchase!

Want to get started yourself?

Here is a diagram we’ve created alongside our business partner 360inControl® for a complete step by step process.

You can also sign up to Boardish Basic (completely free HERE) to introduce you to the terminology, and methodology you’ll need for Risk Quantification and quicker budget approvals.

Eli Migdal – Co-Founder of Boardish

Speed up your IT & Cyber budget process

360inControl® Risk Matrix & Boardish Align For Seamless Remediation to Financial Decision-Making Process

360inControl® Risk Matrix & Boardish Align For Seamless Remediation to Financial Decision-Making Process

For several weeks now, all forms of activities around the world have been severely affected by COVID-19. In this period of inertia, some companies have seized the opportunity to make the most out of it. 

With this in mind, the past few weeks have been busy for us here at Boardish as well as our partners at 360inControl® who have been working behind the scenes to improve our joint offering.  

Whilst Boardish helps quantify risk into financial impact figures for decision-making, 360inControl® is a leading corporate governance risk and compliance management organisation that helps you manage and assess the risk in your business first.  

As partners, we provide the whole step by step process for remediation through to approval, but our partnership has just gotten more exciting!  

360inControl® Are Aligning Standard Risk Matrix With Boardish  

What does this mean for CISOs?  

That’s the exciting part. CISOs can use the full range of 360inControl®’s tenant and then easily transfer their reporting into Boardish to quickly quantify into financial figures independently. 360inControl® now offers default values for Risk Levels, Likelihood, and Impact Magnitude which align with the Boardish methodology and make it easier to assess and quantify risk.  

This unprecedented move has also taken us one step closer to a joint API to provide the ultimate powerhouse of services to CISOs. 

This stands out to help all of our clients and users create a comprehensive inventory of their data, classify it and evaluate the existing risk levels. Covering every aspect of risk awareness and discovery to effective and clear communication with the company’s board. This clears the path for accelerating all forms of approval quickly! 

If you want to read more about 360inControl®’s new risk matrix and how it aligns with Boardish, take a look at their documentation here: https://360incontrol.com/wp-content/uploads/2020/05/360inControl-Default-Risk-Matrix-V-1.41.pdf 

Try Boardish Yourself

Completely free sign up, no payment details required

Vulnerability Assessment Best Practices – How To Be One Step Ahead of Attackers (From Identification To Budget approval)

Vulnerability Assessment Best Practices - How To Be One Step Ahead of Attackers (From Identification To Budget approval)

This post was written by our founder and first appeared on Linkedin here

The classic vulnerability assessment process doesn’t work! It’s just too slow.

By the time you’ve finished your patching and remediation 6 – 12 months have passed and you are again one step behind the bad guys.

I wanted to show you how you can make your vulnerability assessment process work. By being efficient and quick enough!

 
three phases of risk assessment

Phase 1: Streamline Your Processes

  • Identification
  • Analysis
  • Risk Assessment
  • Remediation
In order to be efficient and be quick enough, use technological platforms that streamline the entire process. When the process is clear and has a defined structure and roles, it will go much quicker without the usual delays.

At Boardish, we recommend using our business partners 360inControl® for phase 1 of the process.

Phases 2: Planning Necessary Resources

This is where many companies get it wrong, the vulnerability assessment process MUST include the resources you need to resolve the issues you find. To be able to deliver the remediation part, in most cases you WILL find issues to solve and you must be ready with solutions, as part of your methodology and process.

  • Solutions – Software & Hardware
  • Expert Costs – The People you need to deploy and maintain your solutions
Then QUANTIFY the solutions and expert costs. This is what is currently missing from a lot of processes. It’s not about risk score, that’s no longer good enough. It’s risk quantification!

Phases 3: Taking It To Decision-makers

Once you know which solutions you need and how many human resources are required – you can take the info to your decision-makers and get it approved (and then deployed.)

This is where the Boardish Methodology and algorithm does its magic – our Tool quantifies the information we gather from the vulnerability assessment process into financial figures which the decision-makers can … make quick and efficient decisions with.

To sum it up:

  1. The classic way of doing vulnerability assessment does not work because it’s too slow, too much time from process start to completion to actually be effective and responsive to real threats.
  2. Use technological tools, proven methodologies, and frameworks to make the process clear, efficient and quick.
  3. Quantify into clear financial figures to give your decision-makers all the info they need to make quick decisions.

Thank you,

Eli Migdal – the Founder of Boardish.

Get the best practices in risk assessment

Explain why/how your solutions work, to a non-techy audience. 

How To Show Your Board That Cyber Security Solutions are NOT Expensive!

How To Show Your Board That Cyber Security Solutions are NOT Expensive!

*This article originally appeared on LinkedIn here.

proving IT solutions isn't that expensive

This is not clickbait! – From my personal experience in cyber security and the insights from Boardish I have noticed a very clear analytical insight:

MOST Solutions costs are usually less than 1% of the overall financial impact of the threat.

Allow me to demonstrate using the most simple “threat example” – Data Breach as threat and GDPR as the financial impact.

For the sake of the example, I am going to ignore “Sales Loss” and “Salary Loss”, only focusing on the Regulation Impact and the Market Loss to make it easier:

Our test company will have the following info:

  • Turnover – 50,000,000 USD
  • Employees – 500
  • 1 Year to recover from losing market position
Company Info
 

Year to recover

The Only Threat that we will use in this example is Data Breach:

 

Threat

The Solution in this example will be Microsoft Azure Information Protection P2 (AIP P2) , because it has a very clear “per-user cost” and a very clear value and track record against Data Breaches. The cost per user is $5, so the yearly cost per user is 5 X 12 = $60

* Note that the standalone version of AIP P2 is not the most cost-effective way to purchase this but for this example, I wanted to show an exaggerated case.

 
TPF1

For this example I will provide 50% on-prem & Cloud efficiency

 

TPF

We can’t quantify a solution cost without the professional Labour involved in deploying and maintaining the tool, so I am using the following hourly rates similar to those of an IT service provider:

 
Hrly Rates

For this example, I am assuming that we need to do a full design and deployment project and then hand it over to the 1st & 3rd level IT team for ongoing maintenance.

  • 25 Hours of a Cyber Security Specialist to design the solution
  • 200 (yearly) Hours of 3rd Level IT for Admin level deployment & Maintenance
  • 180 (Yearly) Hours of 1st Level IT for more basic level maintenance
ExpertCosts

I am setting the Data Breach as a High GDPR regulation impact (which it is for most companies nowadays)

 
Regulation

And now let’s analyze the Boardish Dashboard:

  • We are filtering to only show the Regulation impact & Market Loss
  • The Total Threat of a Data Breach is $65.0M ($20M is Regulation and $45M is Market Loss)
  • The Total solution cost is $64K

The Total Solution Cost is 0.98% from the Total Threat Cost!

Dashboard

So the next time you’re trying to get your solutions approved by the board, show them how little it is in relation to the threat factor!

Eli Migdal – The Founder of Boardish

Show the true cost of cyber security

Explain why solutions are actually NOT expensive to a non-techy audience. 

Can you define a clear security posture without quantifying risk exposure figures?

Can you define a clear security posture without quantifying risk exposure figures?

This post was originally posted on Linkedin by our co-founder Eli Migdal here.

Security Posture. I’m hearing this term more and more and it makes sense… in a world when clarity is key to moving forward, we need clear definition of ” where we stand with security”.

I won’t go into the definition, there’s a good one here by Balbix.

Instead, I want to address the Exposure element, or more clearly the lack of EXACT FIGURES in your exposure information. I think best practices for Risk Assessments are missing the “how much exposure do I have” numbers for many CISO and Cyber Consultants.

When building your security posture, from my experience and based on my methodology (the Boardish Methodology) you should have the following information:

List of the most high-risk threat, for each risk:

  • What is the chance of losing market position?
  • How many turnover days lost?
  • How many workdays lost?
 

Threat

List of your best solutions to tackle the above threats. For each solution:

  • What is the efficiency of the solution in mitigating the risk both on-prem and cloud? This is a percentage figure that I think that both the CISO and IT MUST be able to quantify. If you can’t say the minimum level of efficiency of a cyber tool – what is point of having it?
  • Total (Real) solution cost. Including every aspect like design, purchase, deployment, maintenance.
 
 

Threats1

Expertcosts

But, the most important number, in my opinion, is the Exposure left AFTER I calculate the impact of the solutions.

With Exposure numbers, I can have clarity when discussing my Security Posture with both the board and even Internally with Ops, IT, Sales and other departments.

With Exposure figures, the board can decide if they can “live with the level of exposure” or if you as the CISO are required to reduce it more (which, in most cases, will mean investing more into solutions)

So, to answer my headline question of ‘can you define a clear security posture without quantifying risk exposure figures?’ the simple answer is… no, you can’t. :). You need clarity, you need figures, and you need quantification to fully understand and maintain your security posture.

 
Posture

Sell Cyber Solutions

Explain why/how your solutions work, to a non-techy audience. 

Questions that CTO / CIO and CISO are expected to know the answer for in 2020

Questions that CTO / CIO and CISO are expected to know the answer for in 2020

This post was originally posted on Linkedin by our co-founder Eli Migdal here.

It’s almost 2020. The reality is that as IT & Cyber Professionals we are expected to know how to speak in the board’s language. Okay … maybe not the entire language but some key aspects of it for sure.

And Yes! We are ALSO expected to always be on top of this neverending race of IT challenges in a world where you wake up every week to a different reality. Always providing the best platform, uncovering the latest cyber threats and solutions.

  • What is the turnover of the company? – I remember that sometime, many years ago the CTO or “Sys Admin” as we were called at smaller companies were not exposed to the Turnover figures. Nowadays we MUST be, how can we talk figures if we don’t even have the basic Turnover number?

(Note: we don’t need the Profit/Loss report which is much more “tricky” to have for most non-directors, we need the turnover)

  • What are the biggest technological threats to the company, and what are their financial impact, AKA “What is the exact figure”? – There is no real “tiptoeing around it anymore”, we can’t say “a lot” or “Huge” or “Will destroy the company”. We need to be SPOT ON and be able to show the maximum potential threat so the board can make a proper risk assessment.
Threat Figures
  • How many employees will be impacted?- We need to be able to separate the High, Medium and Low impact user. How many users will be completely incapacitated (not being able to work at all) if your technological systems are down? Then, how many can still perform some of their job role? And who is barely affected?

 

  • Financial impact of downtime (technology being down) on salaries – In the previous question we asked how many High, Medium and Low impact users you have in your organisation. This time we are asking How much will it cost the Organisation for these employees to not be able to work? No! – you don’t need to know how much Janice from accounts is making including her Xmas Bonus, but you do need to know the company averages, info you can get from your CFO or even from external sites like Glassdoor.

Impact to Users

 

  • Financial impact of downtime (technology being down) on Sales – For many organisations the sales impact is the most severe, furthermore in many organisations the Sales process is heavily dependent on Technology. It is your responsibility to start a conversation and to understand the worst-case scenario impact of each Threat on the company’s sales. How many turnover days will you lose when Threat X will hit? And within these days how much percentage of sales do you estimate that the company will lose? If you are not sure – bring in your Sales team, your Ops team – engage them, bottom line its YOUR responsibility to provide the solution to the board. No matter how many departments you need to engage.RegulationImpact
  • Regulations – Love them, Hate them, have a consensual BDSM relationship with them – its doesn’t really matter what you feel about them. The fact of the matter is that they are here to stay and they have a Very clear impact. The GDPR is the perfect example which is 4% or 20 Million Euros, Whichever greater, you are responsible for quantifying the worst-case scenario impact of regulations that are technological.Regulations
  • Solutions – what are their efficiency against the threat? – We need to show the board solutions, and in order to be able to quantify solutions we need to fully understand, from our experience (this is our realm – we NEED to know this) their efficiency against the threats. In many cases we will have multiple solutions that can help mitigate a single big and scary threat, usually, solutions will have a different efficiency level for on-premise and Cloud
 
Solutions

2020 will be even more challenging than 2019, be ready! – ask yourself these questions, research, start conversations with your teams, with your colleagues – Engage !

I have created Boardish – boardish.io to help Me, Us, IT & Cyber professionals to be able to answer those hard questions more easily.

Now lets rock 2020!

Eli Migdal.

Sell Cyber Solutions

Explain why/how your solutions work, to a non-techy audience. 

3 of the Biggest Challenges Cyber Security Experts Are Facing – “no filter version”​

3 of the Biggest Challenges Cyber Security Experts Are Facing - "no filter version"

This post was originally posted on Linkedin by our co-founder Eli Migdal here.

Either you are a CISO, a Consultant, a Pen Tester or a Cyber Focused System Administrator (I have been 3 of the 4 myself). You find yourself in a complex reality in 2019, and I presume it will only get more challenging in 2020.

Now I am warning you – I am not going to be “generic” or “Soft” in this article – I am going to hit it hard where it hurts but I think we need to address it head-on – with no buffers, as Cyber Security professionals usually do with cyber risks.

1 – Our role is not completely clear to C-Suite and Top Board level management

I know, it’s not 2010 and I think that “everyone” understands that without information security, a modern organisation can’t exist BUT, the level of clarity is still low.

From my personal experience, the CISO role is, in many cases, a “forced upon by the latest reality” role and only in a few organisations is the CISO role considered to be a proper catalyst for growth.

We need to ask ourselves – are we a catalyst for growth? Or is our focus to “patch / ad-hoc” that isn’t really wanted but is a MUST because the risk is too high without it?

In my opinion, we are a critical catalyst for growth – Cyber Security and Cyber Resilience are part of the core essence of any business that is reliant on technology (which is most businesses nowadays).

If the C-Suite and board members don’t see that – you need to provide them with sufficient clarity, precise clarity on our value to the organisation.

2 – Is it a real risk or a buzz word?

To quote Queen, “is this the real life, or is this just fantasy?” It’s our responsibility to differentiate between a buzz word that your C-Suite and board members will be hearing and a real threat that puts your organisation at risk.

The hardest part is with things like Zero-Day attacks, where you don’t really know the impact until you’ve “seen” or even worst “felt” it yourself.

We need resources for R&D, for reading, exploring, testing, simulating, preparing, and building resilience.

We need to know VERY QUICKLY if its a “real risk” or a buzz word and for that we need resources. Asking for resources from the C-Suite and Board is very hard when you don’t have clarity, when your potential risks are not actually quantified.

For example, let’s say you ask the Board for a 150K budget to set up a team that will:

  • Investigate all new threats and test them
  • See which solutions work and which don’t
  • Which risks are actually dangerous for your organisation and which are not
  • Run them in a duplicated sandbox of your company infrastructure and so on

How can your Board know if 150K is expensive or cheap for this type of request? On what basis are you asking them to make the assumption of a risk that has not occurred yet?

My approach is again Clarity.

You can show your current biggest risks, quantify them as specifically as you can for your organisation and then you can benchmark those worst-case risks to a potential “next worst-case” or Zero-Day attack.

3 – Selling Cyber Security is very hard

Like it or not we are all salesmen(or women). We must ‘sell’ the problem and then sell the solution and sell ourselves as the best person or team to make the problem go away by “being on top of it”.

I’ve written a dedicated article on the subject: 

How To Sell Complex Cyber Security Solutions and Packages

Now, let’s discuss solutions: 

I am all for Clarity – the C-Suite and board members NEED to see “what we see” in their language which is:

  1. Risk Factors
  2. Financial Impact
  3. Risk Mitigation / Risk Assessment
  4. Solutions

 

dashboard1

Using boardish.io, in the example above you can see it very clear in the C-Suite and board level language, we transfer cyber language into “plain” numbers!

Threat: Data Leakage

  1. Total Threat Loss / Cost (The Risk Factor) – 203.87M – this is the main financial impact of the highest threat in this example list.
  2. How is the Threat Cost built? – The components include Regulation Loss, Salary Loss, Sales Loss, Market Loss.
  3. Solutions Contribution on-prem & in the cloud – This is the Risk Mitigation, by how much our proposed solutions mitigate the risk.
  4. Exposure – The last critical part of the Risk Assessment – after we mitigate the risk – what is our remaining exposure?
  5. Solutions – how many solutions are involved in risk mitigation and what is their cost?

Give your board Clarity in their language and I think, I hope, our biggest problems will be solved.

Going back to question #2 of my article – is 150K an expensive request when the biggest threat to the Organisation is is more than 200M? No ! and now you have the Clarity to prove it, with no misunderstandings about your role. You are the professional that is mitigating one of the biggest threats to the entire organisation.

Eli Migdal. 

Achieve Total Board Clarity

Explain why/how your solutions work, to a non-techy audience.