InSights Blog

The red lights are flashing everywhere. News stories are warning about a sharp rise in ransomware attacks, a 2000X fold increase in cybersecurity breaches, and more cyber-related doomsday scenarios. Meanwhile, the Biden Administration released a much-anticipated cybersecurity plan earlier this year, calling for more investments in cybersecurity.

Cybersecurity incidents are on the rise, and the monetary setbacks for victims are considerable. The average cost of a data breach in the U.S. has soared to nearly $8.6 million, and these costs are expected to grow by 15% over the next five years.

Boards are increasingly looking at cybersecurity as a crucial part of the business. The problem is, the board doesn’t always know what to look for or how cybersecurity impacts the business. What the board really wants to hear in the next report is how you’re generating results for the organization and how those results are creating ROI on the spend. Here are a few cybersecurity questions and a few metrics that the board really wants to hear about in the next report.

One of the more challenging aspects of third party risk management is effectively communicating risk. Often the risks posed by vendors are highly technical, and it can be tempting to simply put together a slide or list to review with business owners, executives or board members. But this can often create an obstacle to buy in, as few people have the expertise to understand what these risks mean. 

No one should be surprised to learn that IT and cybersecurity jobs can be extremely stressful. Now, a convergence of trends has, in many cases, brought this stress to a breaking point.

Since the creation of the first CISO role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, with the majority of companies including a cybersecurity-specific role in their C-suites. 

A monthly or quarterly report is a great way to summarize a SOC’s performance and uncover insights for executive leadership. But as a security and risk manager or executive, what information should you request from the managers who report to you?

Today, disruptive risks are an area of focus for corporate directors worldwide. On a global basis, we face disruptions in areas like geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate change.

Data breaches are a constant in today’s headlines, but in recent years the risk has been front and center of some of the most significant M&A deals. In 2017, Verizon discounted its acquisition price by $350 million when Yahoo belatedly disclosed that it experienced several massive breaches. And in November 2018, Marriott publicly disclosed that Starwood’s guest reservation database — containing hundreds of millions of personal records — had been compromised since 2014, prior to the Marriott acquisition. These incidents — and countless others — raise critical questions.  How should Boards be thinking about cyber risk in the acquisition process? What steps should they take to address this risk prior to the acquisition?

While many IT, security, and risk professionals have developed good metrics and visuals for communicating internally about cyber risk, such as the safety cross and pareto charts, reporting on cybersecurity to non-technical individuals remains challenging.

In the months since BitSight’s inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all over to discuss the challenges they face in their roles every day.

In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from Chief Information Officer, Chief Information Security Officers, Chief Risk Officers, and other executives.

In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from Chief Information Security Officers, Chief Information Officers, Chief Risk Officers, and other executives. I recently sat down with James Lam, director at RiskLens and E*TRADE Financial Corp., to discuss Board members’ responsibility when it comes to information security and cyber risk.

Cybersecurity is a growing topic of discussion in Board meetings everywhere — given this fact, Board members need to be prepared to speak knowledgeably about their organization’s cybersecurity posture and programs. As businesses near the last quarter of the year and begin their planning processes, Boards must also be thinking about how to best prepare for 2019.  Here are some factors that Boards must take into consideration:

In today’s landscape, managing your internal security processes as well as creating a third-party vendor risk management program should be top of mind, but prioritizing a solid understanding of the metrics surrounding your cybersecurity programs almost just as important. These metrics should dive deeper than “yes” or “no” questionnaire answers, but should help you gain a more comprehensive understanding of where you and your third parties fall when it comes to proactively mitigating cyber risk.