A little over sixty years ago, Risk—arguably the elder statesman of popular strategy board games—was introduced. Much like the role of today's security professionals, excelling at the game of Risk required just the right blend of strategic thinking, diplomacy skills, and random chance. Risk-taking decisions needed to be thought through, from both a defensive and offensive point of view, and the better you understood the probabilities, the better your chance of winning. In the beginning all your possible moves were pretty easy to figure out. But, as the game progressed and the number of pieces in play expanded, the number of possible outcomes grew exponentially, making successful choices more challenging.
This is everyday life in cybersecurity. We all know the numbers—incidents continue to rise, as does the associated impact. Since all business growth relies on some amount of risk taking, risk management is becoming a critical component of a CISO's arsenal. However, in the game of cybersecurity, you don't need to just anticipate and manage risk, you need to measure it. And unlike the board game where measurement amounts to whether you win or lose; cybersecurity risk measurement has plenty of shades of gray.
How to Stay Ahead of the Game
Knowing how hard it can be to find meaningful metrics to measure the effectiveness of cybersecurity, members of the Security for Business Innovation Council (SBIC) have authored a new paper exploring modern approaches to risk management and measurement. "The CISO's Guide to Cybersecurity Risk Management and Measurement– New Mindsets and Methods for Measuring and Minimizing Business Risk," considers how factors, including the type of industry you compete in and how quickly your company is embracing digitization, should impact your risk measurement approach.
Regardless of your organization's market, product or digital point of view, council members identify three critical shifts that all businesses and security leaders must make to win at risk management and measurement in the digital age.
- Understand that cybersecurity risk is a business risk and not a separate IT problem: Digital transformation is redefining the way companies do business, bringing cybersecurity risk to the forefront.
- Accept that risk postures have to be aligned across the entire organization with common business goals as the core driver: Like data silos in the past, eliminating risk silos streamlines and improves the risk management process.
- Establish a common risk language to create consistent and actionable risk measurement models: Agreement among departments on how risk is defined eliminates confusion and provides a consistent way to communicate and measure risk.
Enter at Your Own Risk
Top CISOs agree on one undeniable truth: cybersecurity risk measurement is hard! Even the most highly skilled and experienced security leaders are challenged to pull all the pieces together into a cohesive, consistent, and continuous process. The good news for you? The leading global CISOs on the Security for Business Innovation Council have combined their diverse risk expertise, insights, and lessons learned to provide you with five game-changing golden rules to follow when putting together your own cybersecurity risk measurement program.
To learn more about how you can play the cybersecurity risk game to win, read "The CISO's Guide to Cybersecurity Risk Management and Measurement – New Mindsets and Methods for Measuring and Minimizing Business Risk.
Author: Peter Beardmore
Category: Research and Innovation, Blog Post
Keywords: CISO, Risk Measurement, SBIC