Question to the CISO: how safe are we?

Especially in recent times, many CISOs keep repeating to themselves the same question they receive every day from their bosses and colleagues: "How safe are we?"

Despite the simplicity of the question, the answer is not so simple and sharing an Excel sheet with the vulnerabilities found and addressed during the last week is not enough. Quantifying and communicating an organization's level of cyber risk in a way that other managers can understand remains a challenge for CISOs, and can make it difficult to obtain the cybersecurity investments necessary for a growing or wanting organization. stay on the market for a long time.

According to a recent study conducted by Tenable-Forrester Consulting, in the last year the 94% percent of companies with a global presence have suffered at least one cyber attack with impact on the business. The study, which surveyed 416 security executives and 425 business executives from midsize and large enterprises, also revealed a difference between company expectations and the realities facing CISOs.

As companies have moved to remote work during the COVID-19 pandemic, it has become increasingly difficult to identify which cyberthreats are related to the attack surface and understand which ones pose the greatest risk to the company. Additionally, many CISOs have to justify their investments in the face of an economic downturn following prolonged lockdowns. And this especially at a time when cybersecurity is finally becoming a topic under consideration at board level.

Towards a Security aligned with the Business

The cited study aimed to identify key challenges and assist CISOs towards meaningful dialogue with their business counterparts. A few key themes emerged from here:

• Cybersecurity threats emerge in a climate of uncertainty. 41% of executives surveyed reported that their companies experienced at least one COVID-19-related business-impact cyberattack in the previous 12 months, as of April 2020.
• There is no relationship between how companies understand and manage cyber risk. Fewer than 50% of CISOs rate cybersecurity threats as a business risk.
• Only half of CISOs (51%) say their Security Team works with other business stakeholders to align their cost, metrics and risk reduction goals with business needs. Only 4 out of 10 CISOs (43%) regularly compare security metrics to the business.
• Boards and CEOs continue to ask for a clear picture of the company's cybersecurity posture, but CISOs struggle to provide one. Only 4 out of 10 CISOs can confidently answer the question: “How safe or at risk are we?”
• Cyber ​​InfoSec must become a Company strategy. This can only happen if CISOs understand their “true” attack surface: today only half of them have a holistic understanding and assessment of the entire enterprise attack surface and less than half use contextual threat metrics to measure the IT risk of their Company: this highlights the limit of their ability to analyze IT risks and to establish priorities for remediation based on the business criticality and the context of the threat.

Conclusion

Ultimately, the study demonstrates that when company managers and their CISOs are aligned on goals, significant business benefits emerge: for example, business-aligned CISOs have been found to have metrics to monitor cybersecurity ROI and impact on business performance, and are much more confident in their ability to determine the Company's level of security or risk.

Source.