Why ‘Probability’​ is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

Why 'Probability' is a huge landmine in Cyber Security Risk Quantification (+ how to overcome it)

cyber probability

Cyber Risk Quantification is becoming more familiar and I’m seeing more SME / Large companies and consultants using Quantification methods for clients. But a lot of them have something in common. They’re working on the Probability & Impact methodology, shown brilliantly in the picture below:

cyber risk probability cartoon

* Picture Credits – The Cyber Security Hub

This illustration is one the best ways to illustrate how probability and impact “go together” but also because it’s so clear. But it also blinds Cyber Professionals from seeing the huge landmine which is “Quantifying Probability”

I believe after working for years on Cyber Risk quantification into Financial figures (from consulting through to the development of Boardish) that for the Cyber Security Realm focusing on Probability is a mistake. Allow me to explain:

  1. Cyber Security Threats are evolving MUCH quicker than any “past knowledge” experience that you can determine the probability factor on. For example, with Ransomware, the attack vector for Ransowmare to ‘get into your organization’ is evolving on a DAILY (and sometimes hourly) basis. On day X your Probability is low because all of your machines are patched, but day Y a new security flaw on a core system means probability soars.
  2. Cyber attacks are constantly on the offensive, it’s not a “statistical game” like with car accident insurance. Instead, there is a clear ‘business model’ for your attackers to gain access to your systems and cause damage. They are ACTIVELY trying all the time. It’s not a question of “if I will be attacked” but “When” AND “are Zero-Day exploits scenario going to be used”
  3. You’ll always be wrong when speaking to management. When asked by your management “what is the probability” of Cyber Attack X to happen, most likely you will get the answer wrong. It’s a “catch 22” question – you can’t really get it correct because you have no control on the variables which are constantly changing.

How should I address Probability in Cyber Risk Quantification?:

  1. Always assume Worst Case Scenario When it comes to probability – that’s the only “not wrong” answer. Your responsibility as a cyber professional is to be able to: Identify, Protect, Detect, Respond and Recover (The Nist Framework) ANYTIME, ANYWHERE
  2. Focus on the Financial size of the threat impact – when the probability of the threat is ALWAYS HIGH.
  3. Focus on the Efficiency of the solution against the threat – when the probability of the threat is ALWAYS HIGH.
This way the responsibility is on your solutions to protect against overall threats, not asking a thousand ‘what ifs’ to find a solution that may not protect you worst case. What is the point?

So, what’s the alternative to working this out? In Boardish we approach from a solution perspective and have the TPF (Threat Protection Factor). You can see that we have threats and Solutions AND the efficiency of the threats against the solutions.

You can have multiple solution combinations against the threat and, most importantly, you control the efficiency. Based on your specific organizational understanding, experience with solutions, and specific environment.

We don’t “Play” the “Probability” game, its always “HIGH” because this is one “not wrong” (there is no right) answer. You can wake up to a Ransomware attack anytime, anywhere, don’t make the mistake of communicating to your management that you can predict the probability, you cant.

The one thing you can predict is how well solutions can protect against worst case. So use this as your benchmark and you’re a lot closer to being right!

How does the Boardish Framework solve this:

  1. Boardish focuses on the full quantification of the THREAT: Market Loss, Work Days Loss, Sales Loss, and Regulation Loss combined with “how quick the company will recover its market position”
  2. We measure the efficiency of the solution in mitigating the threat, AKA – How efficient is the solution against the threat, We do not automate this process, we believe that its different for each organization, and each IT & Cyber Professionals know/can make a decision based on their specific environment
  3. The Boardish Methodology helps you to quantify the Real and complete solution cost ( including IT & Cyber Labour cost )

sales approval process

The Boardish Methodology shows you very clear decision making metric without the “catch 22” of ‘Probability’

Plus, you can try our solution for free yourself without needing integration etc. at www.boardish.io

If you need help, let me know

Eli Migdal – Co-Founder – Boardish.

Don't play the 'probability game', quantify with Boardish

5 Common Mistakes Made with IT and Cyber Risk Assessments

5 Common Mistakes Made with IT and Cyber Risk Assessments

IT and Cyber Risk Assessments

Organisations must regularly conduct cyber risk assessments to test their preparedness for cyber threats and ensure they have the best possible remediation strategies. 

But not all cyber risk assessments are created equal.  

Why cyber risk assessments sometimes fail to deliver 

A regular cyber risk assessment process usually boils down to just a few major steps: 

#1 Identification of: 

  • Assets – Includes servers, sensitive data, contact information, users – anything that might derail the organisation if it would be attacked or inoperational. 
  • Threats – Natural disasters, human error, system issues, malicious attacks – anything that can cause an outage of operations and services.
  • Vulnerabilities – Current weaknesses that are revealed through vulnerability repositories, security analysis, penetration tests, vulnerability scanners, and others.

#2 Analysis – Assessing the already existing control and how they fare against possible threats and vulnerabilities. 

#3 Risk Assessment – Determining how likely it is for a specific incident to happen, and how much of an impact it would have with the current controls and strategies. 

#4 Remediation – Prioritisation of identified security risks and determining adequate controls to mitigate risk for each.

There’s a notion that cyber risk assessments do not do much in terms of protecting the organisation against cyber threats, but in reality, the assessment isn’t the problem – it’s how it’s conducted. 

Common Mistakes Made During IT and Cyber Risk Assessments

When the above steps are not taken correctly, major risks could go undetected. Usually, the mistakes that happen are: 

#1 Going alone and not involving other teams

Nowadays, cybersecurity concerns everyone – from IT to CSO, CISO, CTO, and to all board members, as it has such a huge impact on the organisation when security is compromised. Therefore, everyone needs to collaborate during cyber risk assessments; otherwise, a huge chunk of data will be missing.

Check out our article on collaborating together here: https://www.boardish.io/unite-it-with-compliance-ciso-dpo-cio/ 

#2 Not quantifying impact effectively

The board can’t do much with terms like “low risk” and “high risk.” For them, the financial impact is the most important factor – knowing how much money they could lose (or save) in the long term. 

Without quantifying impact, you can’t give them the full picture. When you can show them they would suffer multi-million losses after a data breach that’s identified as a high-risk threat, it will be much easier to secure $45,000 for threat mitigation! 

#3 Too much focus on the perimeter 

Organisations tend to test their perimeter against threats but forget all about internal security policies. Oftentimes, data loss and breach happen due to lack of access control inside the perimeter. 

Internal security strategies on how is data shared, who has access to sensitive documents, and what happens if they are accessed from BYOD devices must be part of the cyber risk assessment too.  

#4 Ignoring weak spots: vendors and business partners

Many cyber risk assessments don’t look extensively outside of their organisation yet grant access to sensitive data to third parties, which are often the point of entry for security breaches. 

Are you making sure your partners are taking care of their cybersecurity as much as you do? Have you fortified or put mitigation in place if they are breached? 

#5 Relying solely on industry averages

While something might be considered a low-risk for your industry, your particular organisation might be at high-risk because there are no good controls in place. 

Risk assessments must always be conducted specifically for the company, using their numbers and values, and implemented controls. That’s the only way to get quantifiable data that is relevant and specific to your  organisation.

A proactive and collaborative approach towards cybersecurity

Keeping your organisation safe against security threats requires a more proactive approach than simply having a security strategy and security software in place. Cyber risk assessments, when done correctly, help identify weak spots and remediate them effectively. 

Convert your risk assessment into financial figures

Maintain control over solution effeciency! 

How to Quantify Cyber Threats as a CISO in 2020

How to Quantify Cyber Threats as a CISO in 2020

The recently released Internet Organised Crime Threat Assessment (IOCTA) for 2019 by Europol shows that the threat landscape has matured, and key threats have grown in persistence and tenacity. 

The report confirms that destructive ransomware threat remains high. Phishing, spear-phishing, and vulnerable remote desktop protocols have been identified as the primary infection vectors. 

Such a threat landscape requires continuous efforts in the identification of main cyber threats to the organization and how much damage they can do. 

CISOs need to be prepared for 2020 and coordinate their security efforts with the board and their company goals. 

Communicating cyber threats in the board’s language—exact figures and business impact—requires a way to quantify these threats. 

To quantify these cyber threats, CISOs require greater access to the organization’s key financial data and other indicators.   

#1 Identifying the biggest threats and their financial impact on the company 

Identification of the largest cyber threats seems to be the biggest hurdle in presenting cyber risk and exposure, mainly due to the fragmentation of digital solutions in organizations.

According to Deloitte’s Future of Cyber Survey, 41% of CISOs state that Shadow IT presents the most challenging aspect of cybersecurity management in the organization, followed closely by  37% of CISO stating cyber transformation presents a large challenge.

Shadow IT makes it challenging to quantify cyber risk, as there is no overview of all systems. This makes it next to impossible to get a good snapshot of organizational cyber maturity or security posture. 

When the departments integrate digital solutions on their own, there is no alignment of IT with critical business goals. 

How does it relate to quantifying cyber threats? 

The board requires a good overview of the maximum potential threat so they can make the right risk assessments. Getting ShadowIT under control is the primary objective to be able to deliver such assessments. 

Simply saying the largest cyber risk (such as data leakage or breach) will cost the company millions, destroy it, or have far-reaching consequences is not enough anymore. 

How much would the cyber incident cost if left as is? 

How much would your solution cost? 

How much exposure would remain after implementing the solution? 

Would your solution be a sound decision, from a financial standpoint?

Speak in actual numbers that affect the company, not industry averages.

 

#2 Getting access to the company turnover figures

Back in the day, CTOs and sysadmins, as they were called in smaller companies, had nothing to do with turnover figures or any type of financial statements outside of the realm of IT. Times have changed, and nowadays, cybersecurity is an integral part of every company. 

With digital systems running in every department, the CISO requires a full overview of each of them to devise a data and information security strategy that will minimise risk and make the organisation more resilient to threats. 

How does it relate to quantifying cyber threats? 

Nowadays, CISOs must have access to company turnover figures in order to be able to quantify risk in terms that the board will understand. If the board wants to talk about cyber threat risk figures, you must show them how cyber threats will affect the organisation’s turnover. 

The profit/loss reports would give better insight, but these are impossible to get if you’re not in a directorial position. Instead, focus on getting company turnover numbers to build your case.

 

#3 Presenting the impact of technology issues on employees 

To get a clearer picture of how a cybersecurity incident will affect employees, it’s best to separate users as high, medium, and low impact. 

Technology issues won’t affect all users in the company in the same manner. 

Some will experience only mild inconveniences but be able to continue working. 

Some won’t be affected at all.

Some, however, won’t be able to do a single thing until the issue is resolved. 

How does this relate to quantifying cyber threats? 

Quantifying the impact of cyber risk depends heavily on how your operations will take a blow. When you have a clear picture of how dependent your users are on technology, you will be able to calculate the impact. 

If users can’t do their job at all—high impact users—it means their operations are standing still, which makes the risk and its cost greater. 

If users aren’t that affected, the cost will be lower too.

 

#4 Presenting the financial impact of “downtime” on the company’s salaries 

The amount of high, medium, and low impact users determines more than just the extent of the impact. It also shows how much downtime will cost in terms of salaries—how much it will cost the organization that these employees won’t be able to work. 

How does this relate to quantifying cyber threats? 

Even if employees can’t work because of the security incident that needs to be resolved, they will still get their salary for the day. How much will this add to the total cost of the security incident? 

You don’t need exact figures for every possible employee you hire, of course, but having an idea of salary averages will help you determine this cost. 

To get some idea on salary figures, ask the CFO or somebody in the financial department. You might even want to use external resources that can give you averages, such as Glassdoor.

 

#5 Determining the financial impact of “downtime” on the company’s sales 

Most of the time, cybersecurity incidents have the greatest impact on company sales, since the sales processes are heavily dependent on technology. Your e-commerce stores won’t bring you any sales if the servers are under attack or if payment processing is down. 

How does this relate to quantifying cyber threats? 

While sales aren’t your responsibility, the impact of cyber threats on sales falls within your role. CISOs have the responsibility to communicate the impact of cyber threats on sales and present the costs of worst-case scenarios. 

How many turnover days will the company lose in case of threat X? 

Within each turnover days, what percentage of sales will go down the drain? 

What is the chance of losing market positioning in case of threat X?

To provide relevant numbers, you must include the Sales team, and any other team related to sales to give you the required information on how market positioning and sales will be affected in worst-case scenarios.

 

What is the financial impact of IT regulations? 

Information and data are top targets of cyberattacks, and all companies are under strict regulations on how to protect it, no matter what industry you are in. 

Take GDPR as an example—the data protection act lists extremely high fines for companies that do not take necessary measures when it comes to personally identifiable information (PII). 

How does this relate to quantifying cyber threats? 

CISOs must quantify the impact of all regulations pertaining to the company in case of worst-case scenarios. The GDPR, for example, has extremely high fines. Depending on which is greater, the company might face fines of 20 million euros or 4% of its annual revenue in case of a data breach and must be included into the potential financial impact of cyber threats. 

Most companies won’t stand a chance of recovery from such high fines.

 

What is the efficiency of my solutions against the biggest cyber threats? 

After presenting cyber threats that are most likely to affect the company, CISOs must also present the solution. To sell the solution, you must quantify them too—their immediate and annual costs, in comparison to the costs of the threat they are solving. 

In addition, there is also the efficiency factor of the solution—how much of the risk will it mitigate, and how much exposure would remain? 

The efficiency of the solution depends on the threat type and environment. Is it prem? Is it in the cloud? 

There are very few scenarios where a cyber solution will have 100% efficiency so decision-makers need to see the exposure left and weigh up the risk factor themselves. 

How does this relate to quantifying cyber threats? 

The reason why CISOs must quantify cyber threats is to put the costs in perspective when compared to the costs of efficient solutions. 

Solution efficiency and cost help them justify investments that will improve the company’s resilience and overall security posture. 

It is likely that CISOs will have more than one solution to mitigating the biggest threats, with each of them having different efficiency depending on the environment. 

Showing the summed up costs of solutions versus the cost of a security incident without solutions will help the board understand just how much a security incident can set the company back.

 

Conclusion: 

For 2020, CISOs must answer critical business questions clearly and speak in exact figures. They must quantify cyber threats and present solutions in terms of how they help maintain critical business strategy and operations. 

With Boardish – boardish.io – CISOs will have access to a tool that helps them quantify cyber threats quickly, without having to deploy anything on-premise or grant access to their systems. 

CISOs must work together with all departments and get all relevant information to present real threats in real numbers. 

Boardish can help them create a snapshot of their company and help them run scenarios of different threats and their financial and market impact. 

Let 2020 be the year of real numbers!

Quantify Cyber Threats & Solutions

And get your IT budget approved quicker!

How Much Should A CISO & Other Cyber Professionals Earn? (aka How to benchmark your Salary?)

How Much Should A CISO & Other Cyber Professionals Earn? (aka How to benchmark your Salary?)

CISO Salary roulette wheel

I got the inspiration for this article after listening to the David Spark podcast (Defense in Depth) which talked about Security Budgets, “We’ll find the Cyber Security budget when we’re breached”.

In this podcast, one of the participants “Yaron Levi” ( the CISO of Blue Cross ) brought up the “Value” element. That you need to understand the value of the company and then you can understand Cyber Budgets.

I fully agree.

But this got me thinking on the big issue of “Value assessment/knowing the value of … ” in Cyber Security. I meet (Well now its mostly Zoom 🙂 ) and hear many Cyber Professionals discussing the vastly different Salary ranges across the industry.

There doesn’t seem to be a clear definition for: “How much a CISO should earn” from either the business side or from Cyber Professionals.

This leads me to the core of the issue.

A lack of ability to assign value, which in my eyes is one of the biggest issues in cyber security.

It’s impacting cyber budgets, cyber salaries, and has everything to do with value rather than money.

Cybersecurity and IT have always been hard to quantify (it’s why I started Boardish in the first place) and this is because the ‘value’ is defined in different ways. As an example, technology value can be seen in:

  1. Facilitating business working/development/growth
  2. PREVENTING cost-impacting events e.g. ransomware, or data breach fines etc.

So what does this mean for CISOs and cyber professionals and getting paid?

The Traditional approach to salaries and consulting have flaws within the realm of Cyber Security:

When going to an interview or a meeting regarding the fees of consulting or the salary you will ask for, you will try to negotiate your pricing based on the following:

  1. Your experience level.
  2. How you perceive the company’s ability to pay.
  3. The market averages for this specific role and sector.
  4. And of course – Your “shrewd negotiator abilities”.

Usually, with those 4 metrics, you will determine your Bottom and Top ranges of salary/price.

This approach is fine, but for Cyber Security it just does not work well enough, for the following reasons:

  1. Your Experience Level – Cyber Security is constantly changing and evolving, your experience level is important but being a specialist in “something” does not mean this “something” will be relevant in 3 months, it’s your learning capabilities and ability to react which is in my eyes more important than your “classic experience”
  2. How you perceive the company’s ability to pay – Yes you can research a bit and know the turnover of the company and in general what the averages salaries are BUT – You don’t know how much value the company puts on Cyber Security, the company can be huge and very profitable but it does not value cybersecurity at all and so, will not hold value in your proposition regardless of what it is.
  3. The Market averages for this specific role and sector – You usually do not have visibility into how complex the system is, what is the Risk Exposure, or how much Financial Risk you will be responsible for. So 2 companies who look EXACTLY the same from the outside may be completely different in the “Risk Levels” that the CISO needs to take under his/her responsibility.
  4. Shrewd negotiator abilities – Always a good thing to have, but without them seeing the value of what you’re offering, it’s not going to be much of a negotiation! 🙂

So how should CISOs and Cyber Pros be approaching this instead?

The key in my experience is looking from the perspective of value to the company and ‘knowing the financial amount (and risk) that you’ll be responsible for.’

Depending on the amount of risk you’ll be responsible for, you can set your acceptable minimum and preferable maximum salary.

CISO’s (and other Cyber Security professionals) must be able to QUANTIFY what they are responsible for. There is a huge difference in the level of responsibilities and mitigation needed between $100M and $10M so the salaries shouldn’t be the same because the VALUE is not the same.

To put this into perspective. If you are interviewed for a position that means you’re responsible for mitigating $100M of Cyber risk to the company – would you consider $60K yearly enough?

How do you Quantify the value of ‘How Much a CISO is worth to the company’?

You need to know 3 main metrics:

  1. The company’s Turnover – this is usually something you can easily research yourself and get a ballpark.
  2. The Total Financial Figure of Cyber Security Risk that you will be responsible for mitigating. (This can also be done via the Boardish Methodology and Boardish Tool I’ll discuss in the next section)
  3. The current remaining exposure, AKA “Total Threat Loss (Minus) how much was mitigated already” = The actual Financial figure you will be responsible for.

How To Use Boardish To Get This Figure

You can use exactly the Boardish Methodology and tool to get this information because it’s similar to budgeting. After completing the wizard you will get on your Dashboard EXACTLY what we discussed!

How the Boardish Methodology works:

After filling the information, your Dashboard will show you a clear connection between the Turnover of the company, the biggest Threat in financial figures, and what is the remaining exposure.

In the screenshot below the biggest threat has a total Threat Loss of 93M (which is twice the yearly turnover of the company which is 75M) with a remaining exposure of 46M.

So when looking at the ‘value’ of the position of CISO for this company, you will be responsible for a Financial Risk figure of 46M in a company with a 75M yearly turnover.

Now that you have the figures – you unleash your “shrewd negotiator abilities”.

Ultimately, when it comes to your value, don’t let the market ‘assume for you’, in fact, don’t assume at all. Quantify!

You can use Boardish Basic to quantify completely free!

Sign Up here: https://app.boardish.io/

Learn more here: https://www.boardish.io/

Eli Migdal – Co-Founder of Boardish.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

Boardish Partners with 360inControl®️

Boardish Partners with 360inControl®️

Boardish Partners with 360inControl®️

Boardish, a cyber risk quantification tool, and 360inControl®️, a new generation of internal control system (ICS), have announced the start of their partnership that will help provide a full risk management and control solution for CISOs around the globe. 

Bringing Together Risk Discovery and Risk Quantification

360inControl®️ helps companies create a detailed inventory of all information they have, classify it accordingly, and assess the current risk levels. Boardish, on the other hand, transforms this information into financial figures that help CISOs communicate risk and solutions effectively with the board and decision-makers.

Andreas von Grebmer, co-founder of 360inControl®️, Information Security & Risk Advisor, and CISO explains that the partnership is a step in the right direction: 

“It’s logical for 360inControl®️ and Boardish to work together, since our services complement each other rather than compete against one another. While 360inControl®️ offers risk assessment through master data management and defining values for likelihood and impact of various risks, Boardish complements this beautifully by putting actual figures on all threats and risk levels.”

Eli Migdal, co-founder of Boardish, greeted the business partnership: 

“Boardish has been particularly selective about who we work with, and so this just shows the calibre of 360inControl®️ and their product. They have a truly wholesome solution that detects and keeps track of all types of data the company works with, which makes risk assessment and quantification much easier.”

Bringing CISOs a Full Risk Management Solution

The most important point here is that the Boardish and 360inControl®️ will have no integration between each other currently, but will still be able to provide a full service to any CISO who needs a clearer picture of the cybersecurity landscape. 

The partnership between Boardish and 360inControl®️ encompasses the whole journey: from risk awareness and risk discovery, to clear communication with the board and fast-tracking their approval.

Full-service Partnership Is the Next Step 

The business partnership is just the start, with Andreas and Eli confirming they will likely become service partners as well. By becoming service partners, they would share resources, enabling them to get a better overview of cybersecurity and improve their tools even more. In addition, they would also release joint case studies for existing customers, helping CISOs get a good picture of just how much faster they could implement solutions by using these tools.

Ultimately ushering in a new age of vulnerability assessment and remediation process that is complete for CISOs.

Learn more about Boardish here

Learn more about 360inControl®️ here.

Get your complete risk assessment to remediation toolset

With Boardish & 360inControl®️

Boardish Starts White Label BI Roadmap

Boardish Starts White Label BI Roadmap

Boardish has moved from BETA to Production! As a tool helping IT and cyber pros quantify cybersecurity risks and solutions to decision-makers we’re constanstly striving to improve the dashboard. And we’ve made a huge step towards a whitelabel BI solution!

We’ve been asked to whitelabel Boardish since we we were in BETA and it’s on the roadmap for later this year. However, we’ve added the logo functionality to customize your dashboard for decision-makers already!

“This is a great starting point for vendors and our service partners to share quantification of solutions to potential customers without the Boardish logo and have their own.” – Eli Migdal, Co-Founder

Why go for White Label BI? 

Oftentimes, IT departments in businesses large and small require a solution that helps them create reports and visualise data in ways that can easily be understood by decision-makers of the company. 

Building your own solution isn’t feasible in many cases, as it takes a lot of time and resources, something that many IT departments struggle with. This is where third-party white label BI solutions come in handy. 

Boardish, in particular, provides a powerful tool that can help visualise the impact of unaddressed cyber risk and efficiency of different solutions, in terms that are familiar to decision-makers – financial impact, delays, the bottom line. 

It would take well over six months and huge budgets to build custom in-house BI tools but you can use Boardish in minutes! Especially because it runs in a web app and doesn’t require deployment or integration with current systems. 

Yet, it might feel unfamiliar and take away focus during meetings to try and explain Boardish.

But the ability to make third-party software look and feel native brings benefits to IT pros and consultants presenting their solutions in front of the board during meetings: 

  • Seeing the company logo when running different scenarios in Boardish brings a sense of familiarity. 
  • The board members won’t be distracted by the tool itself; they will focus on what matters – the data and implications of different threats and solutions.  
  • Increased solution acceptance – cyber risk quantification and solutions won’t feel disjointed but offer the well-known look and feel, so the board members will be more inclined to accept the proposed solution.
  • Company-specific insights – instead of relying on industry data, you work with company data only and present scenarios of cyber threat impact on the specific business, as well as the efficiency of solutions for that specific company. 

In short, Boardish can now help you achieve brand consistency by using its white label BI starter option. 

With our fully white label option coming soon! 

Sign up to Boardish Premium Yearly or Enterprise today to start personalizing your dashboard! 

Start Personalizing your dashboard

Using the first step to White label BI in Boardish for your business! 

Making Sense of AI Cybersecurity Data for Enterprises

Making Sense of AI Cybersecurity Data for Enterprises

Making Sense of AI Cybersecurity Data for Enterprises

CISOs are facing a challenge with AI cyber data points created by software solutions used in their organisation to monitor enterprise security. So, how can they explain the AI cyber data to the executive stakeholders and help improve clarity in their decision making? 

The Problem with AI Cyber Data

Plenty of well-established risk domains, such as credit or market risk, are clear to the board because they are expressed in economic terms—revenue gain/loss, value, and operational costs. 

With cyber risk, the main issue lies in the risk calculation methods—presenting the actual organisational impact to the board is hard without financial numbers to back up claims.

Cybersecurity specialists have started using AI solutions to identify potentially malicious activities and software before they can do lasting damage. These produce tremendous amounts of AI cyber data on detected issues or threats. 

Why It Gets Complicated

AI cybersecurity data helps CISOs present a case in front of the board, but often they can only report what risks were mitigated or potential risks raised and not how much was, or could be, saved in financial terms. 

Making sense of AI cyber data becomes a challenge in itself because key components to calculate financial impact are missing. 

  • CISOs often use qualitative methods to display cyber risk, but these aren’t an accurate method to rely on in crucial decision making. They lack the means to provide a definitive prioritisation for identified risks.

To demonstrate: Risks are ranked on a low, mid, and high scale. How do you quanitfy and explain how much higher the high risk is than the medium one? How do you argue why some risks are medium instead of high?  

  • When using quantitative methods, CISOs use data and events from industry and sector to determine the risk and prioritise cybersecurity solutions. The numbers they rely on are from high-profile breaches that happened recently, with focus on those that have affected organisations similar in size, technology, and inner organisation. But this method is missing a way to demonstrate the actual economic impact on their organisation. 
  • AI solutions used to monitor the organisation are often missing key analytical capabilities. While good at detecting issues and mitigating risk, they cannot show how technology, personnel, processes, and internal policies affect the magnitude and event frequency of each risk or point towards broader systemic issues within the organisation’s security posture.   
  • AI cyber data lacks information on the impact of legal and regulatory changes to the industry. CISOs can only let the executives know that there’s been a change in regulations and that it will be affecting the organisation. Most often, this will require partnering up with the legal team to help with analysis. 

How Can CISOs Get Accurate Numbers for Cyber Risk? 

Organisations must know figures because they help them decide which risks must be addressed first, and help reduce the uncertainty when choosing risk mitigation solutions. 

Industry-wide data provides just a ballpark figure and isn’t accurate enough. 

CISOs must transform AI cybersecurity data into information the board will understand and know how to work with—this means using actual numbers and financial impact on their organisation. 

The technical data they get from AI solutions is a good start, but they must include regulatory impact and also check and validate the data from AI tools before they go to the board. This is the only way to paint a complete and accurate picture.

Instead of presenting industry events that happened or rely on past incidents, they can use tools that convert AI cyber data from their cyber solutions into actual numbers for security events related to their organisation. 

The right tools help them transform the data to financial terms that the executives will understand. This way, they will have an easier time getting approval for cybersecurity investments and defending their risk management decisions.   

More importantly, CISOs must make time to check these numbers regularly as it helps create benchmarks that are based on their data instead of wider industry data, providing the most accurate data points for decision-makers to work with.  

Using AI Cyber Data to Create a Full Picture

The changing nature of the cybersecurity environment and the regulatory framework requires frequent security posture analysis and fine-tuning areas with lacking results. This is only possible with using AI cybersecurity data related to your specific organisation and quantifying it. 

Boardish helps you get back control over AI cyber data by quantifying and validating all data before you bring it to the board. 

Get control over your AI data

Explain it in terms they understand, speak Boardish. 

Where to Find Out About Cybersecurity Events

Where to Find Out About Cybersecurity Events

identify business cyber threats

Without a way to identify business cyber threats yourself, you can only wait for an attack, which will cost more than taking a proactive approach. 

This means doing some legwork to keep up with new developments in both cyber threat and solutions.

But where can you find out all the latest developments on cyber threats? 

You can start with data sources that keep track of the common vulnerabilities and exposures (CVEs) – such as official CVE sources, security blogs, publications, groups, and vendors who share news about the latest CVEs.

CISOs struggle to keep up with new cyber threats 

Your primary focus should be CVE news about vendors and systems that your business is currently using, and their impact on your systems (Common Vulnerability Scoring System – CVSS). You must be able to react quickly if the severity rating is high or critical.   

But the CISO’s management of security risk is becoming increasingly complex, partly due to threat actors. They are becoming more aggressive, using automated methods and disseminating more malware with fewer resources to do so. 

This rapid increase in attack frequency leaves CISOs overwhelmed by the volume of attacks, the number of malware variants, and their volatility. 

Such trends make it increasingly hard for CISOs to identify business cyber threats, monitor the attack surface exposure, or even analyse the cyber risk

Seeking cyber threat information in the right places 

CISOs can make their job easier by actively following security blogs and groups that share updates on CVEs, as well as official CVE sources.

The best option is to subscribe to cybersecurity groups, news sites, and big vendors to get the info from all relevant sides: the vendor and researcher angle, with focus on systems and vendors they are using. 

Some places that help are AON that releases annual cyber risk reports. They are a good starting point for identifying business threats with the highest risk for your particular industry and business type.

  • CIS has a great cybersecurity information hub. It’s updated regularly with new business threats, outlooks, and advisory news, and has a top list of malware for the previous month. 
  • Microsoft’s blog shares diverse information and keeps its CVEs up to date. It explores topics on security priorities, cyber risk assessment, regulations, and solutions, among others.   
  • Malwarebyte’s blog shares educational articles, how-to guides, and weekly news roundups on cyber events. Sophos Naked Security blog discusses the newest security events, settlements, leaks, vulnerabilities, and hacks, and has their own security podcast.  

CISOs must make it a habit to check for new developments at least several times per week.

Finding cyber threats on the dark side 

Zero-day cyber threats are troublesome because most responses to them are reactive because vendors and developers didn’t share an update on the existence of CVEs just yet. 

Lots of security professionals feel as if there isn’t adequate information out there that would help them stay safe from these attacks. 

Browsing the dark web forums for possible vulnerabilities is one solution – just ensure that you stay in the legal zone while you do so. 

You will stumble across blogs on the dark web that mention exploits without an official CVE record. It doesn’t mean the threat is negligible; it just means the vendors or developers are unaware of it at that time.

Threat actors will often stay a step ahead, so use this to your advantage and check dark web sources and make sure to gauge the impact on your systems anyway. Just in case. 

Only a proactive approach like that will help you identify business cyber threats and minimize the risks of zero-day attacks. 

Overall

The cybersecurity landscape is experiencing shifts almost daily, so you’ll have to dig into the news at least three to four times a week (if not more) to stay up to date. Proactive searching and focusing on cyber risk mitigation is the only right approach here. A reactive approach doesn’t include mitigation. By the time you react, the damage is already done!

Be Proactive

Explain why/how your solutions work, to a non-techy audience. 

Are Soft Skills Becoming More Important Than Tech For IT & Cyber Pros?

Are Soft Skills Becoming More Important Than Tech For IT & Cyber Pros?

Soft Skills for IT

It wasn’t that long ago that IT professionals were hired for their IT knowledge and specialisation. The so-called hard skills they learned through education, training, certification, and on-the-job experience were all that was important. 

Now we see a shift in what organisations are expecting from cyber professionals in particular. The most prevalent trend for new IT roles is a large emphasis that’s placed on soft skills. 

The Shift Towards Soft Skills

The inclusion of soft skills to the list of wanted skills for IT and cybersecurity roles shows that the field is maturing. 

The West Monroe Partners study “Closing the Technology Leadership Gap” reveals that 98 per cent of HR leaders confirmed they place high importance on soft skills for getting a technology position, and a staggering 67 per cent didn’t offer a job to a candidate with all hard skills because of lack of soft skills: 

Soft skills are an integral part of the individual’s personality. They determine how an individual will respond to pressure and different circumstances in the workplace, how they will adapt to changes and interact with others. 

This shift in requirements is partly due to changes happening to the role of IT and cyber professionals within organisations now—they aren’t an isolated unit that just keeps things running. 

They are becoming an integral part of the C-suite, with CIO, CSO, CISO, CTO, CDO roles helping IT contribute to business success. 

Recently, IT and cyber pros are in more and more contact with the board or key decision-makers. They must have a proactive approach, and they must ensure that IT is in sync with the organisation’s long-term goals. 

Most important of all, they must be able to develop strategies that will help achieve such goals and have the means to explain these strategies and complex subjects from their field to stakeholders who do NOT possess hard IT skills and won’t understand the technical focus that will make it possible. 

The Soft Skills Gap Is Driving the IT Talent Gap

And while there are cybersecurity and IT talent shortages across the globe, organisations are demanding that IT and cyber pros have a good set of soft skills,  and opting to leave the role vacant for longer if necessary.  

Their reasoning? It’s easier to teach hard skills than soft skills. 

While this might be true, teaching soft skills will yield good ROI as well, as was demonstrated at MIT. It will take a while for organisations to offer professional development in soft skills, so IT and cyber pros might want to focus on developing these on their own. Doing so means being able to command a much higher salary and benefits. 

What Soft Skills Are the Most Important? 

Whenever an IT or cyber pro can’t use their vast knowledge and experience to get an approval for new solutions or strategies, a soft skills gap might be the culprit for it—communication skills, in that particular case. 

In the digital era, IT and cyber pros have become a go-to source to help with crucial business decisions. By using the right tools and language, IT and cyber specialists can make the board understand the impact of new IT and cybersecurity developments in a way that matters most—the financial impact on the company bottom line. 

IT pros who are well-versed in soft skills and know their way around business terms will have an easier time presenting their findings in front of the board. The most important soft skills for the IT field will be: 

  • Communication and negotiation skills – The ability to effectively communicate and explain your findings, risks, solutions, and strategies to the board and other stakeholders.
  • Presentation skills – Oftentimes, IT pros will find themselves in a position where they must present their findings to those who don’t have a technical background or leading a course on cybersecurity threats and new IT solutions to in-house staff. Knowing how to shape the presentation will decide whether the subject is clearly understood or not. 
  • Adaptability and problem-solving skills – The IT and cyber landscape is in a state of constant change, with new issues and threats being revealed each day. A professional with  well-developed creative thinking skills will have an easier time troubleshooting and solving IT and cyber issues, and have no issues with being an early adopter of new tech solutions. 
  • Teamwork and conflict resolution – IT and cybersecurity professionals now work side by side with other departments, so being a good team player who knows how to defuse tense situations when working towards a common business goal takes priority over being a solo player focused on their own success. 

What soft skills play the most important role depends on the IT role within the company. 

  • Managerial positions require communicating changes, leading meetings, make presentations, and explain problems and issues. 
  • Leadership roles require communication, active listening and analytical skills, translating technical requirements to terms that are understood by all, breaking down complex concepts, and documenting issues and actions. 

The biggest issue with soft skills is that it’s hard to teach and learn them, but it is not an impossible task. 

Developing Soft Skills as an IT and Cybersecurity Professional

The only way to get better at soft skills is to practice using them. The first thing you must do is to identify areas that you struggle with. Everyone has their strengths and weaknesses, so find out what yours are and then improve. 

Here are a few tips on improving your soft skills: 

  • Ask for feedback – Sometimes, self-assessment is not enough, so ask for feedback to become aware of areas you might have to work with. 
  • Learn from those with good soft skills – When you identify the skill you are lacking, don’t hesitate to take pointers from those who are good with a specific skill. If your colleague is great with explaining complex subjects, ask them to become your coach.
  • Do not shy away from challenges – Be proactive in getting a lead position on tasks and projects, as this helps you hone your interpersonal skills, especially communication, management, and conflict resolution.

Stay Ahead

Most important of all, always be willing to continue learning and improving your skills. The IT and cybersecurity landscape is changing rapidly and will continue to do so. So professionals in the industry need to keep up. 

Cyber and IT pros must be willing to update their knowledge and share their insights and strategies with everybody else in the company and work on improving their soft skills to make communication and presentation efficient and easy to understand.

Align with the board

Explain why/how your solutions work, to a non-techy audience. 

CyberTech 2020: Insights From Eli Migdal (Part 2)

CyberTech 2020: Insights From Eli Migdal (Part 2)

 

Eli Migdal, our founder, attended the CyberTech 2020 and got lots of insights from the event. 

In this video, he is discussing the complexity of the cybertech field and how to easily communicate it to decision-makers and board members. 

“How can we really expect our boss, our decision-makers, to fully comprehend the complexity of cybersecurity, especially now in 2020?” 

He explains that even the cybersecurity community finds the field extremely complex. To keep on top of things, cybersecurity professionals must learn about new developments and keep a close eye on new threats, as well as being aware of all the regulatory changes. 

Cybersecurity professionals spend lots of resources on understanding the latest developments – both threats and solutions – by constantly reading, learning, and using proof of concept. 

And while so many resources go into understanding threats and developing adequate solutions quickly, there is also the issue of a big skill gap in the field, where there just aren’t enough cybersecurity professionals. 

“How can we explain this super complex problem which is also complicated for cybersecurity professionals?” asks Eli. How can cybersecurity professionals present the threats and solutions to the board of directors and decisionmakers? 

He gives an insightful answer: “We must simplify it it’s our responsibility. This is what we are getting paid for.” 

As cybersecurity professionals, the only way to truly communicate the impact to board members and decision-makers is to quantify the complexities of the cybersecurity field into financial figures. 

It’s simple really: the board and decisionmakers do not have the time to keep track of all the changes in the field, and they do not care about the complexities faced by cybersecurity professionals. What they do care about are the figures. 

It is not the rate scores or complexity that helps them make a decision – it’s the financial impact. 

Simplify. Don’t complicate.

Simplify Cyber Security

Explain why/how your solutions work, to a non-techy audience.