The CISO role is stressful, not only do they have the constant pressure of the next potential attack or breach, but our research has shown that they work considerably longer hours than their contract dictates, and that they have a growing amount of pressure coming from the board. Add to this the resource gap, where they are in need of an increasing amount of investment and talent that is hard to come by, and it’s easy to understand why the average tenure of a CISO is only 26 months.
Taking a closer look at the investment challenge, 26 months isn’t much time at all to analyze the current situation, identify what investment is required, and then put forward a compelling enough business case for the senior leadership team to invest. It’s also very difficult for CISOs to lay out that business case. You’re investing to mitigate something which might happen. It’s subjective and very difficult to measure. Particularly with limited funds and resources.
A lot of work has been done in the industry to try and put costs and figures around the effects of a breach to encourage senior leadership teams to sign off on investment and implement more robust security. The cost of a data breach report, for example, is a yearly measure of impact, with eye watering findings; on average $3.92 million for each data breach.
There has also been numerous reports and frameworks put together by experts to help organizations work towards the common goal of a more secure world. From NIST, NIS, CIS, ISO 27001 to the NSA and NCSC’s top 10, through to the UK cyber essentials. They give a pretty thorough overview of what good security looks like and they could form a checklist for organizations to ensure they do indeed have best of breed security.
Another way to look at the guidance is to turn it into an evaluation of organizational risk. Giving color and detail to the business case for investment. Whether it’s a heat map or a scoring system, these frameworks can highlight vulnerabilities and be a vital communication tool for the CISO.
This type of mapping can also be reversed. How much easier would it be for a security professional to evaluate a security solution if they understood how it mapped to the various frameworks, and consequently investment evaluation?
So that’s exactly what we did.
If you’d like to have a conversation about evaluating risk and using this to inform investment decisions – get in touch!