What To Do When Your IT & Cyber Risk Assessment Priorities Don't Align With Another Department (A Case Study)
Doing a Risk Assessment process is one the critical things that we as Cyber Security professionals, need to do in order to gain much-needed visibility into the business.
The initial purpose is usually to map the biggest threats IT & Cyber in the company and build a plan on how to mitigate them.
But what do you do when the Risk Assessment does not align with another department?
Sometimes IT & Cyber’s highest priority can be lower than the priority of another department.
(Something that we don’t always want to hear as cyber professionals!)
I want to share an experience from our BOARDISH ecosystem in which a CISO and a Risk Consultant found themselves in exactly this scenario and were able to resolve it quickly and effectively:
- Large scale, international eyewear manufacturer.
- More than 50% of the sales are done online via Ecommerce sites
- Large database of globally located customer information which includes:
- Relatively high (when compared to other competitors ) Cost of Customer Acquisition (CAC)
- The company did NOT have any large scale Data Breaches
- The company DID have several website downtime incidents
The Challenge – Part 1 :
The CISO and the Risk Consultant have arrived at the conclusion that a Data Breach is the highest-ranking Risk for the company,
The logic for the decision following a NIST based (a more adjusted for European market version) Risk Assessment was:
- The large database of customers which includes European customers therefore highly impacted by GDPR.
- High customer acquisition cost (CAC) which makes the customer database very lucrative for competitors.
- Lack of high-quality cybersecurity tools/infrastructure, specifically a lack of encryption for unstructured information.
The Challange – Part 2:
When presenting the Risk Assessment to the CSuite (the meeting was lead by the CFO and COO) and requesting budget for the mitigation process a hard pushback came from the Marketing & Sales Department regarding the CISO’s Risk Assessment.
Head of Marketing & Sales said very clearly that they dont agree with the CISOs Risk Assestment the “The website suffering from downtime should be the highest priority for IT & Cyber to fix”
The Head of Marketing & Sales were pushing hard that any new budgets should be allocated to increasing the strength of the website, making it more robust to reduce the risk of “downtime” because of the key role it plays in acquiring customers which has a direct impact on sales.
Both CISO and Head of Marketing & Sales used “Risk Scores”, “Risk Priorities” , “Risk Matrix” – everything was discussed in “Risk Language”, each advocating for their own “side”.
The Challange – Part 3 (From the perspective of the Board / CSuite) :
Imagine yourself being in the decision-maker’s shoes:
- You have your CISO and Risk Consultant advocating for budget allocation for “Data Breach”, being the highest risk and budget should go for protection tools against that threat.
- You Have your Head of Marketing & Sales advocating that the website being down is the highest risk and all the budget should go to making the site more robust
But Risk Scores, Risk Priorities, and Risk Matrix are all subjective! When you measure the risk of a website downtime to marketing it’s a high risk to their function, but is it high to the company? Does a high risk of data breach really impact the company in the industry they operate in and is that impact higher than the website being down?
These are all questions that couldn’t be answered with the data given, so the CFO requested a more detailed report from both parties because making an educated, smart decision in that phase was near impossible.
So, what does this look like?
The CISO understood that it isn’t the smart move to start “arguing” with the Head of Marketing & Sales and the smart and professional move is to sit down with him and understand his entire Risk Assessment process.
The CISO saw that from Marketing & Sales perspective the website being down is the “worst-case scenario” but also saw that Marketing & Sales were not really aware of MOST of the risk that the CISO is responsible for.
It was clear that the Risk Assessment results required a Common Denominator, Both decided to Translate their Risk assestment into financial figures. Translating the risk into money.
In order for Both Sides to understand which Risk is really the most dangerous for the business they needed to translate Risk into Financial figures ( Risk into Money ). A common denominator that wasn’t subjective.
They used the BOARDISH Methodology to quantify the main threats:
- Data Breach
- Website downtime
For Each threat, they inputted together, with full transparency the following information:
- What is the “Chance of losing the market position” from the specific threat – including reputational loss, branding etc?
- How many Turnover days will be lost from each threat?
- How many Workdays will be lost from each threat?
- What is the regulation impact, financially from each threat?
All the information was fed into the Boardish system with the company information ( like Turnover, number of employees etc.) and the results were crystal clear:
Data Breach had 2.5X the financial impact compared to Website Downtime on the business
- The main reasons for the high figure were Market Loss and Regulations while “Downtime” only impacted specific Sales, limited branding and reputation and a slight temporary increase in CAC.
The process was done TOGETHER with the Head of Marketing & Sales which later on admitted that he was just not aware of all the risk factors that CISOs are responsible for. As well as the financial impact on the organization.
A Joint Meeting with the CFO and COO was done in which the Boardish information was shown, including “how did we get to those numbers exactly” (they shared the Boardish Wizard).
The IT & Cyber Budget was approved.
The CFO and COO have requested all the departments to start to quantify Risk when they are requesting Budgets going forward because it’s ‘easier to make a decision.’
The CISO is now working more closely with the remaining departments and have much better visibility into the challenges and furthermore have more solutions to offer the entire company.
To sum up:
Take your Risk Assessment > Quantify the Risk into Money > Achieve a Common Denominator with other departments so you can speak with all your colleagues in the same language > Present to your Board > get a decision.
Remember, you don’t have to work against other departments as a cyber professional! Boardish allows you to quantify your risks so you can clearly see the business importance and let decision-makers make a decision.
If you want to try Boardish for yourself, sign up is completely free here: https://boardish.io/
Eli Migdal – Co Founder of Boardish