Building a common language to get to “Here’s the proof of cyber resilience”
CISOs can reframe the discussion using data and evidence. Modern cybersecurity tools produce a large volume of data and information on how they operate at any point in time, the status of controls deployed, the validation of configuration and more. There’s an opportunity to collect such data, sanitize it and derive continuous insights that validate, at any point in time, not just compliance with cybersecurity regulations but also overall cybersecurity posture. Because these insights are proof of actual state, the CISO can illuminate gaps in protection on an ongoing basis and either address these gaps or help the business determine mitigation priorities. And in some cases, a perfectly appropriate business decision is to accept a risk. It’s important to capture that acceptance formally, document why it was accepted and ensure that the acceptance is reviewed on an appropriate cadence so the level of risk over time doesn’t outpace a company’s appetite.
This will remove subjectivity and confusion from board reports. CISOs can show proof of readiness and effectiveness, and boards can interpret results in familiar business terms.
Practical steps for CISOs to prove resilience
Cybersecurity deployment is critical, but insufficient. Every day, even organizations with robust cybersecurity investments fall victim to cyber attacks. Board and business leaders put the burden on cybersecurity leaders, but actually demand more: they want cyber resilience.
Cyber resilience is the ability to continue critical operations under degraded circumstances, like a cyber incident, and the agility to return to normal operations quickly and with minimal financial impact. It’s more than the deployment of cybersecurity tools. Backups must be recoverable, and cyber insurance policies need to pay claims. Ideally, the organization knows how long it takes to restart systems from backup and has all information at hand for claims to be paid fully and quickly.
