Response by Christopher Gerg, CISO and vice president of cyber risk management, Gillware.
With 2020 nearly upon us, I am finding that many organizations are doing a poor job of prioritizing information security risks appropriately. Part of this is a product of how the information is presented and the context within which it is presented. Part of it is mindset – many organization’s management teams think of IT and information security as a cost center.
They also think of the role of technology as one of convenience; websites are a nice way to market your company, and email is a nice way to communicate. In reality, many organizations find that their entire business grinds to a halt when their computing infrastructure is locked up with ransomware. In addition, I think that senior management roles think about finances and classic business (MBA-style) strategy.
Ultimately, management can do one of three things to address a risk: fix it directly (buy something or change something), insure against the risk (transfer the risk to your cybersecurity insurance policy), or simply assume the risk (with knowledge of the impact if there is an issue as a result of the risk materializing).
A report of risk to management should include a discussion of the nature of the risk, a likelihood of it materializing, and finally the impact on the business. This will give management context to decide how to address the reported risks (in a language that business people will appreciate).
The solution revolves around communication. Basing the message in terms of risk to the organization, and having that be the core of your reporting is essential. Why do we need to change how we do something, or spend money to address something? What risks are we trying to address, and how significant are they? How will the proposed fix address that risk? Is it sustainable?