Questions that CTO / CIO and CISO are expected to know the answer for in 2020
This post was originally posted on Linkedin by our co-founder Eli Migdal here.
It’s almost 2020. The reality is that as IT & Cyber Professionals we are expected to know how to speak in the board’s language. Okay … maybe not the entire language but some key aspects of it for sure.
And Yes! We are ALSO expected to always be on top of this neverending race of IT challenges in a world where you wake up every week to a different reality. Always providing the best platform, uncovering the latest cyber threats and solutions.
What is the turnover of the company? – I remember that sometime, many years ago the CTO or “Sys Admin” as we were called at smaller companies were not exposed to the Turnover figures. Nowadays we MUST be, how can we talk figures if we don’t even have the basic Turnover number?
(Note: we don’t need the Profit/Loss report which is much more “tricky” to have for most non-directors, we need the turnover)
What are the biggest technological threats to the company, and what are their financial impact, AKA “What is the exact figure”? – There is no real “tiptoeing around it anymore”, we can’t say “a lot” or “Huge” or “Will destroy the company”. We need to be SPOT ON and be able to show the maximum potential threat so the board can make a proper risk assessment.
How many employees will be impacted?- We need to be able to separate the High, Medium and Low impact user. How many users will be completely incapacitated (not being able to work at all) if your technological systems are down? Then, how many can still perform some of their job role? And who is barely affected?
Financial impact of downtime (technology being down) on salaries – In the previous question we asked how many High, Medium and Low impact users you have in your organisation. This time we are asking How much will it cost the Organisation for these employees to not be able to work? No! – you don’t need to know how much Janice from accounts is making including her Xmas Bonus, but you do need to know the company averages, info you can get from your CFO or even from external sites like Glassdoor.
Financial impact of downtime (technology being down) on Sales – For many organisations the sales impact is the most severe, furthermore in many organisations the Sales process is heavily dependent on Technology. It is your responsibility to start a conversation and to understand the worst-case scenario impact of eachThreat on the company’s sales. How many turnover days will you lose when Threat X will hit? And within these days how much percentage of sales do you estimate that the company will lose? If you are not sure – bring in your Sales team, your Ops team – engage them, bottom line its YOUR responsibility to provide the solution to the board. No matter how many departments you need to engage.
Regulations – Love them, Hate them, have a consensual BDSM relationship with them – its doesn’t really matter what you feel about them. The fact of the matter is that they are here to stay and they have a Very clear impact. The GDPR is the perfect example which is 4% or 20 Million Euros, Whichever greater, you are responsible for quantifying the worst-case scenario impact of regulations that are technological.
Solutions – what are their efficiency against the threat? – We need to show the board solutions, and in order to be able to quantify solutions we need to fully understand, from our experience (this is our realm – we NEED to know this) their efficiency against the threats. In many cases we will have multiple solutions that can help mitigate a single big and scary threat, usually, solutions will have a different efficiency level for on-premise and Cloud
2020 will be even more challenging than 2019, be ready! – ask yourself these questions, research, start conversations with your teams, with your colleagues – Engage !
I have created Boardish – www.boardish.io to help Me, Us, IT & Cyber professionals to be able to answer those hard questions more easily.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.