Over the past few years, cybersecurity has cemented its place at the table and it is now a key priority for business leaders and boards - in fact for 46% of boards, it is in the top 3 highest agenda points in 2024. This has led, in many cases, to ongoing conversations between CISOs and the C-Suite on how their risk management strategy is protecting the business.
While this has largely benefited CISOs in drawing attention to the importance of their work, as with all change, it has presented new challenges. With increased, wider-business interest, CISOs have had to adapt to communicate the impact of their program to other stakeholders, who don’t necessarily have a background in cybersecurity.
In parallel, a PwC global survey found that 55% of executives aren’t confident that their cybersecurity spending is accurately aligned with their most significant cyber risk. This points to two areas CISOs need to focus on in order to improve this figure. Firstly, they need to ensure their priorities are backed by data and aligned with wider business objectives. Secondly, they need to be able to more effectively communicate this information to key stakeholders, both to secure buy-in to their strategy and to attain the investment they need to implement it.
In this article, we explain why developing a data-driven cyber risk management lifecycle is key for CISOs to effectively protect their business from cyber threats, and equally critical in being able to communicate their priorities and progress to the C-Suite and board members. We explain what data CISOs need access to, the insights they should be able to draw from it and how technology is ultimately the key to taking a data-driven approach to cybersecurity.
In the past, cybersecurity decisions have largely been made in one of two ways. Most commonly, decisions were made to achieve an audit or compliance objective. Achieving industry compliance is a mandatory construct, and removing “red” findings from an audit report meets basic risk management guidelines.
The next approach in cyber decisioning is in response to an immediate threat or incident - essentially, fix the problem that just happened. This kind of firefighting approach can lead to a limited view that may miss overarching clarity of a business’s true risk level and an actionable strategy to reduce this over time.
When not firefighting or chasing compliance efforts - if there is time - another approach brings in hypothetical scenarios - ‘What do we think could happen if… and how do we prevent it from happening?’ This kind of planning certainly has a place in determining your broader cybersecurity program. You take stock of where you are today, where your known exposure is and take action to transfer or manage the risk. This approach can be very effective - if you have solid and independent data upon which you can rely. Without the data, CISOs are stuck waiting for a cyber incident to prove their point. With the data, CISOs can build a strong alignment of actual cyber risk to their investments and budgets.
A data-driven cyber risk management lifecycle allows CISOs to operate in a more proactive and effective way. Using data, they’re able to assess the business’s current risks, build a business optimized risk strategy, execute their plan, track their progress and communicate the impact of their efforts to the wider business. By having access to accurate information as business and industry changes occur, they’re able to move away from moment-in-time decision making, to building and executing a strategy that minimizes the most pressing cyber risks on a continuous basis.
Data-driven cyber (DDC) is fast becoming a preferred approach to cyber governance. By working with cold hard data, CISOs can make, and justify, cybersecurity decisions more effectively.
So what data do CISOs need in order to adopt a DDC approach?
When we look at a developing a data-driven cyber risk management lifecycle, there are four key areas you need to have data on:
Businesses need to understand the digital value of their business. This allows them to understand what is at stake. To determine this, they should consider the value of their digital assets and digital operating value. By having access to these figures, businesses can understand the true digital value of what they’re trying to protect, often this helps put the investment required to do this effectively into perspective.
CISOs need to be able to put a monetary value on their current threat level. In doing so, they’re able to see how much the business stands to lose if an incident were to occur today. They’re also able to feed this data into effective cyber risk prioritization, ensuring they are addressing the threats with the highest level of loss potential.
Whether a business has just reached the compliance threshold for their cybersecurity, or they’ve implemented some measures to take it to the next level, they need to be able to access data that shows how effective their current controls are. Companies need visibility of how close they are to what they deem an acceptable level of residual risk with the measures they have in place today.
Residual risk is a reality of cyber risk management for all businesses. But they need to have data on what their level of residual risk is. Businesses will usually have a level of residual risk that they accept or is covered by the cyber insurance policy. The challenge that businesses face is when their residual risk is higher than they’re willing to accept and poses a bigger potential financial loss than their insurance policy covers. When this is the case, they need to be able to assess why their risk is so high, which controls aren’t performing as effectively as they should be and what measures are required to reduce their risk.
X-Analytics allows companies to gain visibility of all of this data in one place and presents it through a business lens enabling them to develop a data-driven cyber risk management lifecycle.
Having access to data isn’t enough. Data is only helpful if it drives actionable insights. This is one of the challenges CISOs face with cybersecurity data - there’s a lot of it and it can take a lot of time, experience, and ultimately a bit of guesswork to decide where the business should spend that next dollar of investment. On top of that, when CISOs are trying to communicate their decisions to the wider business and secure investment, they often come up against a lack of understanding from business leaders and the board. That’s why we’ve written our guide to securing cybersecurity investment for CISOs to help you with this process.
To answer the question, the insights CISOs need tie cybersecurity to business success.
This may include:
By framing insights in this way, CISOs are able to:
Once risk mitigation measures have been implemented, the cycle begins again. The CISO needs to reassess the current risk levels through risk analysis, establish a new baseline, identify where there is the highest residual risk in order to plan and implement further risk mitigation solutions.
It may be tempting to skip updating the risk analysis (particularly if this is still a manual process - more on this later…) and continue implementing solutions based on the previous assessment, however this is not a good idea. Remember the fluctuations we mentioned earlier? What if a new threat has emerged since then? What if the business' asset values have significantly shifted? What if a competitor has just experienced an incident? What if the cyber insurance policy has changed and there is a different level of protection? The bottom line is the landscape is constantly changing and business’s need to make sure that you’re making the most informed decisions at all times.
For many CISOs, the biggest challenges they face in maintaining a data driven cyber risk management lifecycle is the amount of time it takes to manually maintain the rigorous process and how to effectively communicate their strategy and actions to the wider business - fortunately, that’s exactly where X-Analytics can help.
At a top level, X-Analytics aligns cyber risk initiatives with company goals, delivering success for CISOs and their business. But how does X-Analytics specifically help CISOs to develop and communicate a data driven cyber risk management lifecycle?
Let’s break it down:
The first step to using X-Analytics is to build out a company profile (don’t worry it’s not as labor-intensive as it sounds - it typically takes less than an hour to get up and running). X-Analytics then uses this to determine the business’s current risk level and cybersecurity maturity, but tying what’s been shared about the current cybersecurity program with open source data and industry specific information. We ensure this data is always kept up to date as things change, and we present it in monetary terms.
X-Analytics, significantly reduces the hours it would take to initially pull together a quantitative risk analysis and the subsequent hours it would take to ensure this is consistently updated. X-Analytics data is accurate and kept up to date as the landscape shifts and risk mitigation measures are implemented.
It is simple to add business context to a cybersecurity program with X-Analytics. We present cyber risk as a monetary value, so businesses can easily see the cost to reduce a specific risk, and expected reduction in loss potential this offer.
This makes demonstrating the ROI of cybersecurity simpler. Key stakeholders are no longer looking at data they don’t really ‘get’ and struggling to understand how the cybersecurity efforts are protecting the business from potentially huge financial losses.
There are two main ways that X-Analytics helps determine what next steps to take:
Ready to start using X-Analytics to support you and your business at every stage of the cybersecurity feedback loop? Book a demo with one of our cybersecurity experts to get started.