Cyber risk is in one of the top 3 global business risks and it threatens the ability of an enterprise to succeed in a dynamic environment and meet their strategic business objectives.
However, many business leaders have a significant knowledge gap on cyber risk and security!
In a recent study commissioned by Cisco, board members and business leaders from Global 2000 companies revealed that only one-third of boards have the level of knowledge they need to effectively govern cyber risk.
Chief Information Security Officers (CISOs) are tasked with the (challenging) job of bridging that gap, by helping boards and business leaders in determining the business risk of cyber threats, prioritize security investments and improve security performances.
…all in business terms they readily understand:
- how much could this risk cost to my business?
- how much are we spending to mitigate this risk?
Sounds easy right? This is of course a massive challenge.
The CISO challenge with the Board
1 – Why would the board prioritize an investment in cyber-security (a cost center for the organization) versus many other investments that also contribute to successfully achieve business objectives (and those are usually profit centers), if they do not understand clearly what risk for their business is? “Steering Committee Gap”
2 – How can the CISO get visibility on the overall cyber risk of the organization and prepare to report to the steering committee? “CISO Visibility Gap”
3 – How can security managers and team leaders ensure their teams have enough cyber-security resources to prioritize cyber-security actions. “Cyber-security Priority Gap”
Effective and robust cyber-security is built on three pillars: people, processes and technology.
In this blog I would like to show you an example on how technology can be leveraged to support the CISO with these challenges.
A “little” help from a cyber-security dashboard:
Working remotely is becoming more popular.
Companies that run the majority of their business on ERP systems are starting to rely much more on data to see what their users are doing.
The same approach must be applied to cyber-security. In order to identify risks generated internally (employees/partners) or externally (intruders).
ERP systems produce and store an enormous amount of logs and data that can be leveraged to identify:
- millions cyber events, produced by…
- thousands of internal users (or hackers), logging in from…
- hundreds locations, into…
- dozens of systems, creating…
- an handful number of critical risks!
Then the overall residual risk (cost/loss impact) for the organization needs to be calculated.
The end objective is to provide the board with enough information to make faster and better decisions in protecting critical assets, privacy and reputation while safely driving critical business strategies.
This is what it looks like:
Built with the integration between SAP Security Solutions and SAP Analytics Cloud, the SAP Cyber-security Dashboard provides helicopter views on the overall security posture of the company.
Based on a number of algorithms, it calculates the overall qualitative and quantitative residual risk score of the organization and allows drill-downs into meaningful business risk context (e.g. risk location, risk descriptions, risk owners etc…) – therefore supporting the CISO in bridging the “Steering Committee Gap”
The dashboard also supports the other’s CISO challenges, the “CISO Visibility Gap” and “Cyber-security Priority Gap”.
By enabling multiple levels of drill-down into specific areas/location of risk and providing real-time status updates on the ongoing security operations.
This is only a snapshot of the capabilities of the dashboard, with the objective of showing how technology can be used as the enabler to bridge the gap between cyber-security and the board.
Most logs, events, configuration and risk data are already stored in systems and not using this data to provide useful insights to the board is a (big) missed opportunity.
Of course it does not solve all the CISO’s problems related to people, processes and technology.
But showing the art of the possible has been since ages a very effective way to bring attention to topics that are sometimes misunderstood or underestimated, until they became a real problem…
…and at that stage is unfortunately too late to react…
Join the SAP Security Community to learn more: https://community.sap.com/topics/security
Follow me on LinkedIn: https://www.linkedin.com/in/gabrielefiata/?originalSubdomain=uk