CIO Cyber & Risk Network November 2020
The Cyber and Risk Network November call focused on the following areas:
1. Their own examples of metrics that did, or did not, resonate with directors and executive management
2. There are many frameworks, but most are so long or so technical that boards lose interest.
3. NIST’s Cybersecurity framework is a common approach from a broad perspective, whereas the Center for Internet Security’s Critical Security Controls are focussed on the technical aspects.
4. One participant made the point that with a control, “Unless you have 100% coverage, it is zero% effective” because an adversary only needs one way in.
5. Performing a full rundown on all costs associated with a typical incident - i.e. similar to what is currently in the news - provides a financial perspective of the cost of not being adequately prepared.
6. Continual progress is required, and any snapshot - or third party assessment - becomes the baseline that future progress must improve on.
7. All the CIOs agreed that focusing on the top priorities of the business was crucial, because it helps focus attention on what really matters to the business. Because, “No business exists just to be secure”.
8. For security budgets to resonate they must be mindful of the business margins