Cyber risk is a boardroom issue that many don’t see as strategic. Could intelligence monitoring help CISOs change their minds?
Keeping the UK safe from cyber attacks is now as important as fighting terrorism according to Jeremy Fleming, head of GCHQ. He should know. It’s only been a year since GCHQ created the UK’s National Cyber Security Centre to protect our critical services and improve security. It has already reported over 1,100 attacks. More than 600 of these required a national response. That’s expected to increase.
None of this is a surprise to Chief Information Security Officers (CISOs) whose bread and butter is managing IT infrastructure security. But is it also the kind of evidence and trend that could empower CISOs? Namely, to persuade their boards to connect cybersecurity to business risk as a fundamental board consideration.
It’s a good question even today. In February this year, Harvard Business Review published board director views on their level of concern regarding business risks. Cybersecurity fell behind regulation and reputational concerns. Asked about strategic threats, cybersecurity fell even further down the list to tenth position behind innovation, changing consumer demand and levels of debt.
If the CISO reframed cyber security risks into business critical rather than technical terms, how much more compelling would that be for the board to act on.
Cyber intelligence and business risk
One way in which CISOs can produce the measures that persuade boards to take cyber risk seriously is through cyber intelligence and other mitigation technologies. Research shows that such monitoring has lowered the average cost of lost and stolen customer records from £104 in 2015 to £98 in 2017. Coupled with the real time information from a cyber threat intelligence solution, it makes a powerful case when communicating with the board.
Imagine the potential impact of a CISO board report using their cyber intelligence to influence decision making:
“We have detected new strains of ransomware that put our legacy systems at risk. They hold 100,000 individual records of our most loyal customers. We have a financial risk of £980,000 if we are compromised. To mitigate this risk we need to invest £200,000 to end of life our legacy systems and move to a secure cloud based solution.”
Empowering the CISO
Cyber threat intelligence which drives understanding of the potential financial impact of business risk may well be one of the most empowering tools a CISO can acquire. Without it, board cyber risk discussions lack the necessary resonance to be considered on a par with other risk concerns.
The role of the CISO is evolving and increasingly shoulders communication with the board. Learning the board’s language and way of thinking will enable CISOs to become perceived as an aid to decision making rather than simply an operational expense or technical function.
The external cyber threat landscape is evolving. New threats appear daily. What’s secure one day becomes a risk the next. Cyber security intelligence technology can effectively monitor this landscape. It enables businesses to mitigate the risks and pre-empt them from becoming active or critical.
CISOs will decide for themselves which tools to use and how to influence their boards. But they do so against the backdrop of GCHQ’s alert warning. This is an organisation known for its use of intelligence. They pull it from multiple sources, analyse it and alert the rest of us to their findings in relatable terms. Maybe we should follow their lead.