Recently, I was part of four conversations with security leaders across several industries – manufacturing, financial services, natural resources and healthcare – about some of the challenges they face with cyber risk management. All of them are looking for new approaches due to changes in expectations from their boards, senior executives and other stakeholders.
A few years ago CISOs were expected to have a complete picture of cyber risk for their organizations “in their heads”. CEOs, CFOs and boards would trust their CISOs to readily explain their organizations’ exposure to cyber risk with confidence, and have detailed knowledge of the actions needed to manage cyber risk. Fast forward to today, the digital attack surface has exploded and the “seat-of-the-CISO’s pants” method of cyber risk management does not work. While it is massively difficult to discover all vulnerabilities, it is even harder to quantify and communicate cyber risk. . As a result, cyber risk reports presented to boards and senior executives tend to:
- Offer an incomplete view of risk .
- Not quantify risk in monetary terms.
- Include information that is not directly actionable.
It makes good…
