As a CISO or CIO it’s important to measure and effectively communicate cyber security risk to the board of directors.
CISOs can use a combination of quantitative and qualitative methods to measure and provide a comprehensive view of the organisation’s cyber risk landscape.
“CISOs can use quantitative metrics such as the number of security incidents, cost, and the number of vulnerabilities addressed, as well as industry benchmarks such as ISO 27001 or the Cybersecurity Framework (CSF), to measure cyber risk,” said Rebecca Harper, head of cyber security analysis at ISMS.online.
“Using these metrics, CISOs can demonstrate the organisation’s performance compared to others in the industry and track critical data such as detected intrusion attempts, incident rates, and vulnerability response times.”
Qualitatively, CISOs can use threat intelligence and other sources of information to provide a more complete picture of the organisation’s cyber risk landscape. Additionally, scenario-based risk assessments and tabletop exercises can help test the organisation’s incident response and crisis management capabilities.
“When it comes to reporting cyber risk, CISOs and CIOs need to ensure that the board understands three basic concepts,” Harper continues. “First, cyber-attacks are inevitable – every organisation is vulnerable to a cyber-attack, and the consequences can be severe.
“Second, cybersecurity is a priority and should be considered as seriously as the other investments of a business, such as human resources and legal facilities. Finally, investing in cyber security is a long-term commitment, going beyond just having the right technology in place and also considering personnel and protocols.
“To effectively communicate cyber risk to the board, it’s important to establish a regular cadence of communication and reports. The EU’s Return on Security Investment (ROSI) formula is also a valuable tool for presenting the quantifiable value of an investment in cybersecurity to the board.”
Cyber security should be a priority for any organisation and the NCSC has published guidance that will help you deliver a secure approach.
Start with a cyber security baseline. Adopt a recognised baseline of security controls, such as those defined in Cyber Essentials. This approach doesn’t require any risk analysis at all; it’s just about applying some basic security controls and demonstrating that your organisation takes cyber security seriously. Make sure the security baseline you chose takes into account any laws and regulations your organisations must comply with.
All organisations face risks, no matter the size. Many cyber attacks use indiscriminate scatter-gun approaches to targeting victims. If you’re a small company you’re just as likely to be a victim of these scatter-gun attacks as a large organisation. Attackers may not know (or care) who you are until they get a foothold in your organisation.
Cyber security is as much about knowing how your organisation functions as it is about technology. Think about what people, information, technologies and business processes are critical to your organisation. What would happen if you no longer had access to them or if you no longer had control over them? Equally, some information such as personal data must remain private, but other types of information could be released without any disruption. This basic understanding of what you care about, and why it’s important, should help you to prioritise where to protect your organisation most.