We recently interviewed Brian Contos, CISO and VP Technology Innovation at cybersecurity experts Verodin, to find out the one biggest piece of advice that CISOs need to take on board in 2019. Brian was an informative and entertaining guest on our CISOTalks podcast series and had the following to say regarding advice for CISOs:
So What Advice Do You Have for CISOs?
“In one word; proof.
Make sure that you have something in place that gives you both qualitative and quantitative evidence about what’s working, what’s not, how you should prioritize, what you can retire, whether your people are working effectively, whether your processes are working effectively and more. You need to be able to measure, manage and improve on those processes.
The reason this is so important is because now that the CISOs has that voice with the rest of the executive team, the board wants evidence. Boards don’t want vague ideas about perceived threats, they don’t want to simply do something because everyone else is doing it, or simply having data protection because it’s the right thing to do. They need evidence.
The reason that’s necessary is that in a business, and other government organizations, there’s thousands of types of risk – cyber is just one. The board is evaluating all these different types of risk every day they can’t handle a CISO coming to them with something that’s not quantitative or evidence based (I.e. predicated on actual yes or no data).
Now, once you can do that, you can communicate strategically and start aligning business objectives and needs to the rest of the board. You will start becoming far more important to the organization.
So, once more, our biggest piece of advice for CISOs would be; if you want to be effective, and you want to continue on this curve of cybersecurity maturation, start having evidence-based proof about the status of your security effectiveness. Without that, you’re trying to fight today’s battles with yesterday’s approach, and it simply isn’t going to work for you.”
So, How Do You Get Proof?
It can seem like quite a tricky task to get qualitative and quantitative evidence of your cybersecurity effectiveness. Thankfully there are services and solutions out there that can help make the job easier.
The Lepide Data Risk Assessment, for example, is a completely free service in which a report can be generated showing where your biggest areas of risk are and whether you are in danger of suffering a breach. It uses real data in your environment to generate the report and can be easily shared to the rest of the board.
There are also numerous tools out there that can help you put your cybersecurity risk into real business terms. For example, you can see based on the amount of data you process, how much a data breach would likely cost you. Couple this with the Lepide Data Risk Assessment and you have something quantitative and qualitative to present to the rest of the board to prove your value.
To schedule your Data Risk Assessment, click here.