Beyond the Breach - Risk vs Investment

A CISO Perspective

Reputational risks also influence appetite

Don’t ‘over’ insure to mitigate risk Though insurance is a key tool in the arsenal to mitigate the impact of an attack, it should not be seen as a risk transfer strategy. With your premiums adjusted according to your risk profile, there’s a danger that some organisations may seek to ‘over’ insure, rather than putting the controls in place to prevent attack. Instead, take a balanced approach, where cyber insurance complements your security architecture, that helps to mitigate the immediate and long-term costs you could face in the event of a breach.

continued

As we know, breaches can be financially costly, and reputationally so, too. Ensuring your security set-up has the right spend behind it to protect against or mitigate the fall out of an attack will be important if reputational damage is a key concern for your organisation.

Though cyber insurance is a key tool in mitigating the impact of an attack, it should not be seen as a risk transfer strategy

Collaboration with peers, clients and even competitors

Making sure the tools you have at your disposal work smarter , rather than investing in a number of different solutions, should be a key focus for CISOs too. Undertake a detailed review of your control requirements, contracts and licenses. Is there overlap, where you have multiple licenses for the same type of solution - and can you opt to use the services from one provider, if so? Are there other solutions available that would better work together than your current tools, and provide more holistic protection?

Is vital to understand shifting risk appetite and priorities that affect budgets. How an attack impacts your financial teams, is very different to how it will impact HR departments. So addressing individual team concerns and demonstrating how your organisation’s cyber security budget affects this, is important. Increasingly though, there is a need to go beyond talking about cyber security solely in the language of breaches or reputational damage.

Never compromise your businesses risk. In the face of economic difficulties, look to take a more pragmatic approach - whether this relates to risk appetite, insurance, tools or suppliers.

Managing suppliers The stability of your supply chain and their vulnerability to attack is another aspect of managing suppliers; procurement due diligence often demands these checks, but increasingly, ongoing monitoring will be needed. Do they have vulnerability disclosure programmes you can review? Can you access its software bill of materials (SBOM), which details the patch statuses, versions, licenses and components present in its codebase? Consider this in budget discussions, as internal resource or third parties, such as software escrow services, may be needed to support recovery, just as it would if your organisation was the intended target of attack.

A 2022 report from Forrester, CISOs’ Tactics To Win Every Budget Battle, discussed the need to factor in cyber security costs when calculating cost of sale (CoS) and cost of goods sold (CoGS); reviewing controls by ‘costs per customer’, the return on insurance policy coverage and costs per regulation, could aid Board-level budget discussions.

Made with FlippingBook Online newsletter maker