Cyber Risk Benchmarking: The Language of the Boardroom
Need to talk cyber risk with the C-suite and board?
Speak the language they’ll understand.
Download full ebook
The Threat
Landscape Today
With a threat landscape constantly in flux, breaches have become the business norm – putting added pressure on CISOs and their security teams to safeguard their organization. Several obstacles prevent this from being an easy ask.
Speaking the Universal Language
To get on the same page as the board, it’s important to speak the same language. Not everyone on the board will have a technical background, so speak in terms of business risks and opportunities, not technical details.
of organizations have suffered a damaging cyberattack in the past two years
Insufficient
visibility
Vulnerability
overload
Talent
shortage
Manual
processes
Inability to quantify risk
What four things do secure organizations have in common?
A CISO
C-suite collaboration on a security plan
C-suite-level engagement
Boardroom transparency on cyber risk management
Learn a new language!
Click on the scenarios below for examples of how to turn tech speak into something the C-suite and board can understand.
Scenario 1
We’ve spotted 600 vulnerabilities on our 2,500 mobile devices.
Explainer
The number of vulnerabilities identified only gives the board a snapshot. Instead, explain which business-critical IT services might be affected.
Translate to
Boardroom-ese
If you can give [the board] good data about exposure...they can relate to the data.
They want to be part of the story to help you solve the problem and manage risk better.
– Dan Bowden, CISO, Sentara Healthcare
Questions of Benchmarking:
Answering this question is vital to getting the board to understand how your security efforts and investments are paying off. There are five steps needed to answer this question:
How Are We Reducing
Risk Over Time?
1.
External benchmarking data tells you how vulnerable you are compared to your peers, and provides the board with a true picture of risk and liability. Comparing your security program to peers requires access to:
How Do We Compare to Our Peers?
2.
91%
Map your attack surface
Standardize metrics
Track your Cyber Exposure Score
Rank your assets by criticality
Turn learnings into action
Advanced
risk-based scoring
High-quality data
(lots of it)
Weigh vulnerabilities, threat data, and each asset’s business value and criticality.
Compare your organization against thousands of others to achieve reliable industry benchmarks.
Ready to speak to the board in a language they can understand?
Tenable Lumin, the industry’s first
Cyber Exposure command center, can help.
Scenario 2
Scenario 1
Download full ebook
Download full ebook
Download full ebook
Download full ebook
Download full ebook
Insufficient visibility
The attack surface has expanded to include cloud, DevOps, mobile, and IoT assets.
of organizations report having adequate visibility into their attack surface.
29%
Vulnerability overload
Tenable Research Team
Source
Source +
-
2018 Ponemon Institute survey
Talent shortage
of organizations say staff shortages hinder vulnerability scanning.
58%
of organizations do
not scan at all.
28%
Manual processes
spend more time navigating manual processes than responding to vulnerabilities.
51%
Inability to quantify risk
Most organizations can’t quantify what financial or operational impact a cyberattack would have on their organization.
8,000
15,000
17,000
2016
2017
2018
Hover for more info
9,937
15,038
16,500
Source
2018 Ponemon Institute survey
Explainer
It’s not enough to tell the board that you’re keeping patches up-to-date. They need to know that critical assets are protected against threats in the wild, as well as the ROI on your security efforts.
Scenario 2
Map your attack surface
Implement a Cyber Exposure platform that gives you visibility into every asset and vulnerability.
Rank your assets by criticality
Establish a tiered system for assigning business importance to assets. Look at factors like the presence of sensitive data, regulatory environmental conditions and internet exposure. And keep the system flexible enough to adjust to changes in your attack surface.
Standardize metrics
Keep metrics consistent to measure
performance. Consider using KPIs like:
Time to assess
Time to remediate
Effectiveness of prioritizing cyber risk
Identification of vulnerable assets
Track your Cyber Exposure Score
A Cyber Exposure Score looks at vulnerability priority, asset criticality and process maturity. An effective scoring system should include:
Vulnerability severity and exploitability
Threat context (is it being exploited in the wild?)
Business context (financial or operational impact of a compromised asset)
Turn learnings into action
Take your learnings to the board so you can create a plan to reduce cyber risk together. Consider these key risk indicators (KRIs) when presenting:
Loss or alteration of intellectual property
Strategic information leakage
Financial fraud
Disclosure of sensitive customer data
Downtime of online sales channels
Source
IBM Institute for Business Value
We are exposed to this vulnerability on 12% of our infrastructure, including containers, web apps, and servers. Our average time to address an issue of this magnitude is 18 days.
Source
2018 Ponemon Institute survey
Source
2018 Ponemon Institute survey
Back to CISO Speak
We’ve patched X number of vulnerabilities.
Translate to
Boardroom-ese
Our Cyber Exposure dashboard shows how we’re remediating the most dangerous vulnerabilities on our most critical assets. We can deploy resources based on vulnerabilities most likely to be attacked and benchmark cybersecurity effectiveness against industry peers.
Back to CISO Speak
New vulnerabilities are growing by the day.
Many organizations report not having enough talent to scan for vulnerabilities
New vulnerabilities are growing by the day.
Many organizations report not having enough talent to scan for vulnerabilities.