By V3 Cybersecurity
Our last article “Addressing the Unanswered Organizational Needs of Today’s CISO” focused on disrupting legacy consulting models and providing CISOs with a new capability for establishing real time and dynamic cybersecurity visibility and benchmarking into their security program. Additionally, we examined how the new capability provided a platform for reducing individual liability within the board and officers of the company. The Caremark International Inc. Derivative Litigation established that if your directors are doing what they can to meet their duty of care, then they are unlikely to be held liable for poor compliance oversight. The Minerva Platform by V3 Cybersecurity provides a new approach for organizations looking to minimize liability and demonstrate due care. Now we want to turn towards two topics that are of equal importance when providing business context to your cybersecurity program–organizational exposure and alignment.
There are countless reports and studies from vendors providing insight into the cost of a data breach. In most cases, the insight is interesting but cannot be applied in a meaningful way outside of bestowing fear on organizations and generating leads for the vendors. Equally, we have seen the meteoric rise of cyber insurers and organizations guessing (albeit somewhat educated) about the amount of coverage needed to limit their financial exposure in the event of a cyber breach. Most of what we see are companies continuing to try and tackle the risk equation with agent-based technical controls and some sort of proprietary ordinal risk indexing method. There is no argument that these technologies can provide useful insight into threat and anomalous activity, but they do not answer the financial questions that should be leading the conversation. How many CISOs and security professionals are prepared to answer the questions: “What is the financial exposure to our company if we were to have a major cybersecurity incident?”, or “How much insurance should we have to protect us against a cyber incident and why?”
The few organizations that are trying to tackle the issue are moving the needle in terms of quantification of exposure but are still reliant on high levels of organizational maturity and security staff to understand and drive financial determinations for the organization. Unfortunately for businesses, most cybersecurity staff are highly sought-after specialists in IT Security and have limited interest in becoming financial analysts. Not to mention that most organizations have enough challenges finding sound security staff, much less an experienced CISO.
“Organizations need a better understanding of their loss of value in the event of a cybersecurity event. While understanding the cost of litigation, loss of clients, and remediation activities is one way to get to a valuation, does it accurately reflect the investor’s trust in management or willingness to invest in the organization? The simple truth is that most organizations do not know their exposure to cyber events. Even if a company is able to establish a financial value, there are macro and micro influences that are not well understood,” says Jorge Conde-Berrocal, CEO of V3 Cybersecurity, Inc. “The Minerva platform is solving these challenges and empowering businesses to make informed decisions,” he continued.
The Minerva Exposure Engine by V3 Cybersecurity will provide a machine learning-based approach to valuing organizations and their exposure to a cybersecurity breach. By examining stock variance over time and applying valuation methods on the forefront of academia, the Minerva Exposure Engine will provide never seen before business insight and context to cybersecurity programs. This data-driven approach minimizes the need to spend IT security resources on determining the financial exposure of a public cybersecurity event and is not dependent on the maturity level of an organization’s security program.
While understanding organizational exposure with the Minerva Exposure Engine will elevate your boardroom presence significantly, organizational exposure is not the most significant cause of cybersecurity program failure. One of the most predominant issues facing CISOs today is the lack of alignment with stakeholders and organizational goals. Speak to most tenured CISOs and they will admit that they have faced significant challenges in aligning the organizational stakeholders to achieve their security goals. This idea is eloquently stated in the NACD Blue Ribbon Commission on Culture as a Corporate Asset. “A dysfunctional culture has the potential to undermine the business model and create significant risk for the company.” Unfortunately, organizational dysfunction leaves most CISOs being viewed as obstacles to progress. This, in turn, creates high leadership turnover and security organizations struggling to keep up with the changes in regulatory requirements and evolving threat landscape.
V3 Cybersecurity is taking a unique approach to this issue and is using technology to enforce alignment with organizational goals and input from the organizations’ stakeholders to develop the organizations’ priorities. Through the defined workflow, the Minerva Roadmap Engine will drive the integration of the security program into the organization. While there will be times in which stakeholder buy-in is not optional (such as regulatory requirements), there are many instances where it is a business decision to prioritize allocating resources. Our role as CISOs is to inform the leadership team and board of the IT security risk associated with each option and to drive transparency into this process. This will be done through a simulated impact assessment that will be compared against the current state of the Minerva Maturity Engine.
The process of simulating the impact of projects will give CISOs new capabilities in the contextualization of the impact to organizational security. This level of visibility will allow tomorrow’s CISOs to focus on effectively communicating and educating their organization of the implications and risks associated with their decisions.
Having real-time insight into your security program, understanding the potential financial exposure from a cybersecurity event, and being able to align the security program with the goals of the organization will enable the CISOs of tomorrow to earn influence and trust within the organization’s leadership and board. Knowledge is power, but wisdom is empowering.