Which is a bigger risk? Ransomware or lack of IT & Cyber Human Resources (and how to quantify to BOD)
During my consulting sessions on cyber security, I see a recurring theme. There’s usually a skilled team with great ideas and capabilities.
But not enough human resources to execute it.
A CTO or CIO will usually have most of their team already engaged in dozens of IT and Cyber projects. Even the most basic exercises like vulnerability assessments can get delayed just because there are not sufficient team members (or financial resources to use suppliers.)
You may think that if the company has the resources to appoint a CISO, that the CISO will then have sufficient resources, and enough people… think again 🙂
In many cases, the CISO’s team is already caught in several projects as well and entire security teams are not able to perform their required roles.
In this phase, I usually recommend “requesting decision-makers” for more resources, more people or more money so you can use an external company.
Also in this phase, I see how hard it is for the Manager to ask for more resources even if they understand that not asking for more resources will put the company at risk.
I use the BOARDISH methodology to show a clear financial impact of a “lack of resources”,
*See an example of quantifying this via the BOARDISH web app (boardish.io)
- The Core issue of the test company is that they have an End of Life server in production, which both contains PII information and also several systems that use old SMB protocols.
- The CTO, Cyber Team and Compliance all know the risk this server is imposing on the company.
- It just a matter of time until the SMB protocol will cause Ransomware AND / OR Data Leakage of PII information.
- Company information – I am using a test company with the following information:
This is where we put “Insufficient IT & Cyber Resources” as the main Threat,
And we use info that we know from Ransomware and Data Leakage for this specific company as our “Turnover Days Loss” and “Work Day Loss”
Why ? – because “Insufficient IT & Cyber Resources” will not allow you to even “get to” addressing the actual Ransomware & Data Leakage issues – it will delay and delay them.
In Solutions, we will put 2 options, inputting the yearly cost.
- Recruiting a staff member
- Using an external company
Threat Protection Factor ( TPF ) :
In this scenario – our solution will “most likely” solve the entire threat, this is why we will input 90%
Recruiting in-house VS Outsourced will usually require more resources for ongoing management. So we must account for this time (and hourly costs of this time) in the yearly expert costs.
Regulation has a HUGE impact on our scenario, the lack of resources will most likely to a Data Leakage of PII.
And we have a CLEAR FINANCIAL IMPACT NUMBER to show our Decision Makers / Board:
- What is the COST of the”Insufficient IT & Cyber Resources” Threat
- What are the components of this Threat (Market Loss, Regulation, Salary Loss and Sales Loss)
- What is the COST of EACH OF THE OPTIONS of Resolving this Threat
- What is the leftover exposure in each environment to consider when looking at further mitigation.
The Boardish Methodology is combining a Risk Assessment exercise with Financial quantification, now your Decision Maker / Board needs to make a very clear decision:
Provide the resources for solving the Threat or accept the Cost of the risk.
Quantify your biggest risks
And explain to decision-makers which ones to focus on first…