Aligning the c-suite with cyber risk management

April 24, 2022 TH Author Trend Micro CISO : Article, Trend Micro CISO : Digital Transformation, Trend Micro CISO : Expert Perspective, Trend Micro CISO : Risk Management, Trend Micro CISO : Skills Gap

In addition, more than 80% of IT managers surveyed felt pressured to downplay the severity of cyber risks to their board in fear of sounding too negative or repetitive. While an understandable concern, IT leaders play a critical role in helping the boardroom clearly understand the cyber risk landscape to boost cybersecurity investments and enable the organization to grow.

Disagreements aren’t only between IT leaders and the C-suite, friction between IT and business decision makers runs throughout organizations. Case in point: IT leaders are nearly twice as likely as their counterparts to believe that ultimate responsibility for managing and mitigating risk should be with their own colleagues or the CISO.

This friction is already having a notable impact on organizations. Over half reported that their attitude towards cyber risk varies from month to month. This kind of inconsistency is the exact opposite of what’s needed: a stable, well-planned strategy built on best practices and clear insight into the risk environment.

Speaking the board’s language

Many of the business and IT leaders surveyed believe their board will only sit up and take notice of cybersecurity if they suffer a breach, or if customers demand it. How can you convince the board to be more proactive? IT and security decision makers need to speak the language of business risk that their board will be able to understand and act on. The cost and potential business impact of a security breach will certainly resonate.

As such, Trend Micro blocked over 94 billion threats in 2021—a staggering 42% increase from 2020, meaning the likelihood of being attacked and the associated costs to organizations increased as well. One estimate puts the total cost of a breach at over $4.2 million today, but ransomware compromises, for example, have cost some organizations tens of millions in lost sales, productivity outages, IT overtime, and more.

Next, security programs must also be formalized: a top-down, documented strategy highlighted by KPIs and established metrics will enhance the board’s understanding of risk.

This can seem complex if you’re utilizing disconnected point products, requiring your security teams to manually collect and correlate the necessary data. Enter: a unified cybersecurity platform with broad third-party integration, comprehensive visibility and continuous discovery of your digital attack surface, and extended detection and response (XDR) with automated executive reporting features.

Leveraging a platform requires board investment as well, ultimately creating a “what comes first” situation. Consider asking potential vendors for a proof-of-concept (POC) or free trial to show the c-suite the full reporting capabilities to secure their investment and simultaneously help them better understand the impact of internal friction on cyber risk management.

To learn more about managing cyber risk and the security and operational benefits of a unified cybersecurity platform, check out these resources:

You May Also Like

Going Beyond Built-in Security: Email Threats in 2020

Why XDR security in today’s threat landscape

Cyber risk management: Attribution strategies