Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
The Danger of Assumptions
A version of this article originally appeared in the November/December 2019 issue of NACD Directorship magazine.
A communications breakdown between chief information security officers (CISOs) and board members is all too frequent. Typically, the culprit for this breakdown is identified as cultural: CISOs often spring from a technical background, where they are more comfortable discussing “speeds and feeds” than profits and losses. For many directors, it’s the exact opposite. For both, there may be unrealistic expectations of the other’s ability to naturally bridge the gap.
Given the high stakes of cyber risk, boards and CISOs need to break through this communications impasse. The first step is for each to question their assumptions, making sure that business facts are proven and understandable to all. Some common board member assumptions that should be clarified with the CISO follow.
CISOs should be able to deliver return on investment (ROI) numbers.
Cybersecurity uses computer technology to combat threats, but not in the same way as the information technology (IT) function. The primary rationales for deploying IT systems are to improve efficiency, reduce costs, and increase revenue. These outcomes are readily measurable in conventional ROI calculations, and none of them are conventional rationales for deploying cybersecurity systems.
Rather, ROI on cybersecurity investments should be viewed through the same lens as other contingent liabilities, like pending lawsuits and product warranties, in addition to the risk of reputational damage and reduced brand equity. However, this will never happen if board members assume cybersecurity ROI can be measured like IT ROI.
Board members won’t be targets.
Just because board members do not work at the company every day does not eliminate them as a cyber risk. In fact, board members have access to the most sensitive information in the company, making them ideal targets for well-researched phishing attacks targeting high-value individuals (so-called “whaling” attacks).
Companies should have mandatory, outcomes-based employee cybersecurity training in place, and board members and senior executives should be included. Anyone who assumes they are above such training becomes a risk to their companies.
The company should focus its security efforts on threats in the news.
This is emblematic of a “threat-centric” approach to cybersecurity, where organizations are fixated on the latest threat. Every organization is different, and it may very well be that the threat you’re seeing in the headlines is not likely to be affecting your organization.
Cybersecurity programs should be risk-centric, not threat-centric. When you focus on all threats, you spread your forces too thin, overinvest in technology, and create a morass of cost and complexity. You also tend to overlook the risks that are attributable to fundamental weaknesses in your internal business processes that are easily exploited. When you take a risk-centric approach, you understand which assets are most likely to be attacked and who is likely to attack them, and concentrate your forces accordingly.
The CISO’s most important job is to prevent data breaches.
No CISO can prevent all data breaches. Assuming that this is their most important function guarantees failure. Rather, the CISO’s most important job is to understand the enterprise’s cyber risks and to implement a program that effectively manages it. Their top job is to establish the organization’s risk tolerance and plan for when things go wrong—because they almost certainly will.
A good CISO will have a comprehensive incident response plan in place that is rehearsed several times a year. This is critically important: how well an organization responds to security incidents has a profound impact on the overall business damage caused. The board is able to measure a CISO’s readiness efforts and encourage more preparedness as needed.
The CISO knows what the security budget should be.
The cybersecurity industry tends to fuel the threat-centric security model, which has led to CISOs investing large sums in the latest technologies. Now, many organizations find themselves with too much technology, too few people to run it, and no idea what investments to make next.
Assuming that the CISO knows how much is needed can be a dangerous proposition, unless the CISO can articulate in measurable terms how that budget will reduce enterprise risk. Wise, risk-focused CISOs should understand the right budget levels because they also understand contingent liabilities and how to articulate investment in people, process, and technology to reduce risk exposure.
Reevaluating these assumptions will close the communication gap between boards and CISOs, and create much more effective, economical, and board-supported enterprise risk oversight.
Let us know what you need, and we will have an Optiv professional contact you shortly.