Nightmare of CISOs: Convincing and Justifying the Cyber Security Investments

Controversies / Enterprise
1417 0
It’s always a problem for security professionals to pique the board’s interest in cybersecurity and persuade them to invest in cyber defenses.

First, let’s look at some intriguing facts. While 72 percent of FTSE 350 companies in the UK think that cyber risk is the most serious concern, just 46% have dedicated security expenditures to match. By that logic, today’s boards appear to be underinvesting in cybersecurity measures, and they are certainly not to blame.

It’s crucial to assess how boards manage broad organizational risks before pointing fingers. Surprisingly, studies have found that boards of directors have relatively little time to think about underlying cyber concerns. In fact, even in companies with chief risk officers, formally reviewing and discussing risks with the board of directors has a time limit of only 30 minutes. They occur on a yearly, semi-annual, or quarterly basis. It’s reasonable to imagine that smaller businesses devote even less time to discussing cyber dangers.

In any case, the 30-minute intervals aren’t solely for discussions on cyber risk. Boards can potentially examine all types of risks they face within these time periods, including financial, technological, cultural, and so on.

CXOs must pick which cyber dangers warrant the lion’s share of their attention in the face of untenable conditions. They do so depend on a variety of factors, including the severity of the danger and the extent to which a decision can be taken.

The consequences of cyber security are self-evident. To encourage boards to invest more in cyber security, it’s necessary to better demonstrate the true cyber risk that businesses confront. That means businesses will have to improve their monitoring, measurement, and presentation of the current cyber risk and the potential damage.

It’s also crucial to assess human-caused cyber risk. Professionals are, admittedly, fairly adept at summarising and quantifying cyber dangers in several domains. For example, technological defenses often keep track of the severity and number of attacks they identify. An increase in the frequency or severity of attacks is a solid sign of increased cyber risk.

The measurements from technology protections alone are used to develop security policies, yet, this might lead to security issues that humans overlook.

Cyber security is a socio-technical field of study. It affects people, and while technology risk metrics are reliable, “measurement” of human cyber risk currently boils down to whether or not security awareness training is being conducted.

It’s natural that more security-conscious companies have placed a greater emphasis on standards and training, but that’s where the responsibility ends. The simple training tick-in-the-box is even referred to in certain standards as a relevant metric in policy considerations.

The tick-box becomes a stray signal for time-pressed board members. Board discussions do not stray, and tick-boxes effectively signal that “we’re doing what we need to do on the cyber risk front,” allowing boards to proceed.

Security experts must present boards with something more striking to keep them focused on cyber security. To persuade them, indicators and measurements demonstrating the genuine, total (and often terrifying) amount of cyber danger must be provided.

Investments are driven by awareness, culture, and behavior indicators. Providing supportive metrics to boards that reflect employee security awareness, security behaviors, and the security culture of the firm. That should provide something very eye-opening for the leadership and board-level talks. Perceived cyber risk has suddenly equaled actual cyber risk. Cognitive biases and deference to tick-box approaches become obsolete.

The board has all they need to make informed and aware decisions, thanks to easy-to-understand, social, appealing, and fast analytics and recommendations. They also have everything they need to assess and improve their cyber risk maturity – either in place of or in addition to the many and relative risk maturity scales that businesses use today. With these indicators, cyber risk can finally be fully investigated, argued, and discussed.

Organizations frequently carry an undesirable amount of cyber dangers without realizing it. Therefore, security experts must be more watchful and vigilant. As security experts, we must do more to ensure that company boards of directors, at the very least, are aware of the true cyber danger that businesses face.

For more blogs checkout: Blogs

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *