Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/23/2020
10:00 AM
Vinay Sridhara
Vinay Sridhara
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Steps CISOs Can Take to Convey Strategy for Budget Presentations

Answering these questions will help CISOs define a plan and take the organization in a positive direction.

As 2020 nears its end, CISOs and infosec teams are expected to prepare board and C-suite briefings on the state of their organization's cybersecurity posture, including a comprehensive 2021 cybersecurity budget. This is no small feat, as one of the major issues plaguing CISOs today is that there is little visibility into an enterprise's attack surface. According to a Ponemon Institute survey, 88% of breaches are due to poor cyber hygiene that skews the outlook of a company's security posture. Ultimately, this means that security pros remain faced with the challenge of maintaining comprehensive visibility over their complex attack surface while also combating the evolving threat landscape.

Related Content:

CISO Dialogue: How to Optimize Your Security Budget

2020 State of Cybersecurity Operations and Incident Response

The Changing Face of Threat Intelligence

What's more, recent statistics confirm that 16 billion records were exposed in the first half of 2020. As such, CISOs and security teams are overwhelmed by the challenge of maintaining and optimizing security posture, which can be an impediment to developing a strategic cybersecurity outlook for the board and C-suite. Given this lack of clarity into the attack surface and security posture, how can CISOs present a unified and strategic vision for 2021?

Step One: Gain an Understanding of the Organization's Cybersecurity Posture
With billions of security signals across an enterprise attack surface, CISOs must start with obtaining continuous, comprehensive visibility of the risks to their organization by utilizing artificial intelligence (AI) and deep-learning tools to make sense of this vast number of signals.

Since board members and other senior executives are rarely skilled cybersecurity pros, CISOs are best served by quantifying cyber-risk in financial terms that these stakeholders understand. By communicating in the language of business, rather than technology, CISOs will find a more receptive audience that better understands the information security program and is more likely to provide support for infosec team requests.

Step Two: Build a Board Presentation

Slide No. 1: Where are we on the cyber-risk spectrum?
● This first slide can help the CISO identify where their company is on the cyber-risk spectrum from the data gathered by the risk dashboards. Then he or she can quantify the risk scores in financial terms based on current security controls and outline the business impact of a breach.

Slide No. 2: Quantify cyber-risks across the business.
● Every enterprise is organized differently, so CISOs should break down risk areas in pre-existing structures. This might mean organizing by business unit or asset type. Regardless, the idea is to communicate the highest risk areas of the business that need additional focus.

Slide No. 3: Show progress with risk trends.
● In this slide, CISOs can offer a high-level summary with visualizations showcasing how risk levels have changed since the last board meeting. CISOs can also point out specific areas of risk that have decreased or increased and support those conclusions with data.

Slide No. 4: Where do we want to be?
● An open conversation with the board about where the organization should be on the cyber-risk spectrum is key. Companies have an ever-expanding attack surface as data grows and technology accelerates. In addition, employees are shifting toward remote work, which brings a whole new layer of security concerns.

Slide No. 5: How will we get there? Lay out a plan.
● In this last slide, CISOs can present a prioritized list of projects and deployments for the next quarter and the expected impact on overall risk relative to projected cost.  

● To answer "how we will we get there?" effectively, CISOs need to know their security posture's most vulnerable areas. They can then present the top risk groups that need to be addressed, building a case by comparing the cost of mitigations to the likelihood of a breach and business impact of a breach for each area.

Step Three: Develop a 2021 Budget
CISOs recognize they cannot reduce their organization's cyber-risk to zero. Still, they can reduce it as much as possible by focusing on eliminating the most significant risks first. Therefore, when developing a budget, CISOs should consider a proactive risk-based approach that homes in on the biggest cyber-risks facing the business. This risk-based approach allows the CISO to quantify the risk across all areas of cyber weakness, and then prioritize where efforts are best expended. This ensures maximum impact from fixed budgets and teams. 

The fact is, the National Institute of Standards and Technology reports that an average breach can cost an organization upward of $4 million —  more costly than the overall budget for many organizations. Consider a scenario where one CISO invests heavily in proactive measures, successfully avoiding a major breach, while another invests primarily in reactive measures and ends up cleaning up after a major breach. The benefit is that one (the proactively inclined CISO) ends up spending 10x less overall.

As a CISO, if you place yourself in the board's shoes and clearly communicate and quantify your organization's overall cyber-risk, your message is better received, and you're more likely to get the support needed to transform your company's cybersecurity posture.

A Solid Foundation for Board Presentation Success
While there is more awareness among top leadership and board members regarding the daunting challenges of cybersecurity, a board member's view of cybersecurity is primarily concerned with cybersecurity as a set of risk items, each with a certain likelihood of happening with some business impact.

To present an accurate plan and budget, CISOs must understand the organization's IT inventory, including asset criticality, other risk items, and which compensating controls are effective. An AI solution can help an organization analyze the data signals across the attack surface on a continuous, real-time basis to quantify risk, prioritize the most important tasks, and define a plan and vision for the future.

As such, answering these questions ahead of time will help CISOs define a plan and take the organization in a positive direction. 

Dr. Vinay Sridhara has more than a decade of R&D experience in wireless communication, security, and machine learning. Prior to joining Balbix, Vinay worked at Qualcomm Research for over nine years, where he worked on wireless networking, mobile security, and machine ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20527
PUBLISHED: 2021-04-19
IBM Resilient SOAR V38.0 could allow a privileged user to create create malicious scripts that could be executed as another user. IBM X-Force ID: 198759.
CVE-2021-27028
PUBLISHED: 2021-04-19
A Memory Corruption Vulnerability in Autodesk FBX Review version 1.4.0 may lead to remote code execution through maliciously crafted DLL files.
CVE-2021-27029
PUBLISHED: 2021-04-19
The user may be tricked into opening a malicious FBX file which may exploit a Null Pointer Dereference vulnerability in FBX's Review causing the application to crash leading to a denial of service.
CVE-2021-27030
PUBLISHED: 2021-04-19
A user may be tricked into opening a malicious FBX file which may exploit a Directory Traversal Remote Code Execution vulnerability in FBX’s Review causing it to run arbitrary code on the system.
CVE-2021-27031
PUBLISHED: 2021-04-19
A user may be tricked into opening a malicious FBX file which may exploit a use-after-free vulnerability in FBX's Review causing the application to reference a memory location controlled by an unauthorized third party, thereby running arbitrary code on the system.