How two CISOs have made security a business priority for the board and CFO
“Ok, so we have 400 cases of Shellshock. What does that mean to our profitability?”
The good news for CISOs is that board concern for cyber risk is at an all-time high. Boards know they need to provide oversight, but they aren’t always sure how to do so. They are looking to the CISO for guidance.
The bad news is that talking to the board in technology terms just isn’t effective. CISOs need a new way to present risk that is meaningful to the board and the rest of the executive team. They need to talk in terms of measurable business outcomes and the financial bottom line.
How two security leaders speak dollars to be heard
Here's how the security leaders of a 1,200-hotel hospitality company and an Ivy League university have successfully gained visibility into their total risk exposure, and translated it into dollars – the language of the board.
“We use MAX Risk Intelligence to report the financial impact to our Boardroom." Bonus: "It also empowers our students to self-assess their computers.” - Ivy League University
“The main reason I am purchasing MAX Risk Intelligence other than threat detection is to walk over to the CFO’s office for the justification of hiring people, procurement of additional products and services to safeguard our data.” - Hospitality Company
Step 1) Gain unprecedented visibility into risk across your organization
First, CISOs need visibility into the total risk exposure of the organization. MAX Risk Intelligence has triple threat detection to uncover sensitive data like credit card numbers and social security numbers, as well as vulnerabilities and access permissions.
Even the largest servers and the laptops of the most transient workers are scanned to answer:
- What data is at risk and where does it reside?
- How will an attacker gain access to it?
Step 2) Translate that risk into dollars
Once the CISO has a vivid picture of the organization’s total risk exposure in real-time, MAX Risk Intelligence automatically translates these metrics into dollars, answering: How much will it cost if the device is breached?
In business, attaching a dollar figure to a problem makes an impact. Think about how decisions are made to insource or outsource, or how the opportunity cost is calculated for choosing one project over another. It always comes down to dollars.
Putting a dollar number on data breach risk creates an instant, effective connection with an audience concerned about the bottom line.
MAX Risk Intelligence automatically weights the threats detected with an industry-standard dollar cost of a data breach. The results is a personalized Security Number for a device based on its real-time risk exposure.
Step 3) Present in the language of the Board and CFO
CISOs have a MAX Risk Intelligence security intelligence dashboard that automatically presents key metrics in dollars ready for the board and other C-level executives. The conversation goes from security nuts and bolts to:
“We have $10 million in total breach risk exposure today. Thirty days ago we were at $12 million.“
Gaining visibility and translating risk into dollars works on three levels for CISOs.
- Security team
It financially prioritizes data breach risk for the security team. The ‘worst offender’ devices can be targeted first for remediation, making the most dramatic reductions immediate.
- The board
It enables CISOs to give the board the security oversight they are seeking.
- Other executives
It also improves communication beyond the board and into the C-suite. CISOs can use this Data Breach Risk Intelligence to: Tie risk to business outcomes for the Chief Executive Officer (CEO); Justify resources to the Chief Financial Officer (CFO); Provide risk metrics to the Chief Risk Officer (CRO); Rank divisions by liability to engage Business Managers.
What Do the Dollars Look Like?
The MAX Risk Intelligence Data Breach Risk Brief 2015 analyzed the scans of 700,000 real customer servers, desktops and laptops. The results were pretty shocking, especially to some of the CISOs.
- 87% of desktops and laptops had unprotected credit card numbers.
- The average cost if breached for a desktop or laptop would be almost $50,000.
- Servers would average over $300,000.
- The highest cost if breached that MAX Risk Intelligence has seen – $300 million and $400 million respectively.
Find Your Own Security Number
The first step in understanding the power of the Security Number is to find yours. You can find your Security Number right now here.