There is much talk about why CISOs need to translate cybersecurity into business terms rather than technical terms in order to get a seat at the board table. But no one has provided an answer as to how.
With the mission to address this blind spot, (ISC)2 is partnering with PivotPoint Risk Analytics on training and tools that create a common lexicon that both information security professionals and their boards can use to get on the same page for understanding the business impact of cybersecurity decisions and to demonstrate ROI. PivotPoint has dubbed the approach “Cyber Value at Risk,” or, CyVaR.
The concept is endorsed by The World Economic Forum’s Partnering for Cyber Resilience initiative, which has framed cyber value-at-risk as the common risk quantification approach for its members.
“CyVaR arms the CISO with automated cyber risk analytics to create and manage more effective security programs and to be more effective in communicating with other execs in building integrated programs,” said David Shearer, CEO, (ISC)². “We recognize PivotPoint Risk Analytics as the pioneer and leader who is transforming cyber value-at-risk from an interesting concept to a powerful operational capability.”
By using a common language for information security managers, risk managers, Boards of Directors, and other executives on risk mitigation, it becomes possible to financially quantify cyber-risk in terms of dollars and cents using value-at-risk modeling. And, as a direct result, CISOs can make smarter business decisions on security investments, mitigation options and financial risk transfer via cyber-insurance (utilized by only 2% of US organizations today).
As part of the partnership, (ISC)² has employed CyVar to assess its own cyber-value-at-risk and guide the organization in its security strategy and in making decisions about cyber-insurance.
CyVaR helps an organization to understand: How much money it could lose to cyber-attacks over the next year; how investing in more security could reduce its risk; and how much and what types of cyber-insurance it needs to transfer financial risk.
“By quantifying the risk to the most critical corporate information assets and associated software and infrastructure, cyber value-at-risk helps CISOs secure the value of their business and bolster their respect in the boardroom,” said Julian Waits, CEO, PivotPoint RA. “We are excited about this collaboration with (ISC)², a recognized organization that is committed to enhancing the security posture of global organizations.”
Photo © Sangoiri