Back in the day, all CISOs needed to do to get their cybersecurity budgets approved was to intentionally confuse the rest of the C-suite by using overly-complex technical language and showing pretty infographics with lots of red. More often than not, fear was used as a tactic to justify spending money on cybersecurity solutions.
This evolved over the years as new regulatory bodies introduced standards that made cybersecurity a box-ticking exercise in many cases. CISOs would simply need to list the areas of weakness in relation to the applicable compliance mandates and many vendors would offer scorecards to this effect. The goal being to fill up these scorecards in order to become “mature” in terms of security. Cybersecurity was almost never measured in terms that the rest of the C-suite could understand and therefore CISOs had a fair amount of leeway to play with.
However, thanks to the evolving cybersecurity landscape, this is all changing.
Data breaches have become so frequent and often so devastating that the mainstream media are reporting on them (and often on the front page). The effect being that a large organization caught in a data breach scandal can see potentially crippling losses in stock valuations as consumer confidence diminishes. In addition to this, brand new regulations (such as the GDPR in Europe) introduce steep monetary penalties for those companies not making cybersecurity a priority.
Such regulations demand organizations to be better when it comes to safeguarding customer data, but it also had another effect. It has elevated cybersecurity from an IT concern to an enterprise-level concern; one in which involves the whole C-suite and not just the CISO. This has increased the status of the CISO to one of the most important roles in any organization. And with that heightened position, comes increased pressure. CISOs are being put under far more pressure to measure, manage and report cybersecurity posture in a way that the rest of the organization can understand. Quite often, this means reporting cybersecurity in monetary terms.
The old box-ticking way of measuring cybersecurity preparedness does not communicate risk in this way. At most, if a few boxes aren’t ticked, you can infer from this that the business is at risk. But this is not the kind of measuring, managing and reporting that the rest of the C-suite is interested in.
Fortunately, many cybersecurity vendors have cottoned-on to the fact that CISOs are under pressure to prove the business-value of their solutions and have adjusted accordingly. Lepide, for example, offer a free risk assessment for enterprises looking to see where their areas of vulnerability and what it means in real terms to the business. This involves one of their dedicated engineers doing all the heavy lifting; analyzing the security of your environment over a set period of time and producing a report geared towards highlighting the areas of risk and suggesting next steps.
Such reports highlight the business risk of your security posture and make it easy to justify cybersecurity spend. For more information on Lepide’s free risk assessments, contact us today.