What’s the best way to describe security risks in terms of business impact?
GVP in Software, 10,001+ employees
would love to get your take on thisDirector of Information Security in Energy and Utilities, 5,001 - 10,000 employees
Personally what has worked well is mentioning that bonuses will go poof if we have a large enough breach and that there's a material impact on operations. People tend to take risk far more serious if the impact is directly relatable to them (in this case their $).Director of Information Security in Energy and Utilities, 1,001 - 5,000 employees
What is the currency of your business? For most business, it is money. But for others, it can be something else. If it is a fire department, their currency is the number of life they can save. Translate the security risks to the currency in your business.Director in Manufacturing, 1,001 - 5,000 employees
A lack of security can have a significant real impact on manufacturing. IoT means when security is lacking, things may stop working. This story below is just unfolding right now. https://www.honeywell.com/us/en/press/2021/03/update-on-honeywell-it-systemContent you might like
Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.Once a month6%
Once a quarter44%
Once every 6 months16%
Once a year15%
We do not run ransomware simulations currently.16%
Other (comment below)0%
585 PARTICIPANTS
Cyber insurance with ransomware coverage44%
Law enforcement contact(s)44%
Ransomware response plan60%
Ransomware task force/team38%
Bitcoin account for ransomware payments15%
Disaster recovery site33%
Other (comment below)1%
561 PARTICIPANTS
Community User in Software, 11 - 50 employees
organized a virtual escape room via https://www.puzzlebreak.us/ - even though his team lost it was a fun subtitue for just a "virtual happy hour"
When you start putting it in those terms, it really simplifies it. It gets muddier when you go down the stack. But I mean, I could tell you from Intel because I did this circuit 2002 book order, pay, build, shut, close, communicate, macro business processes. And there were temporal aspects to it, right? For revenue, for coordination, stuff like that. And the macro technology risk issue would have been the equivalent of what happened with SolarWinds. Somebody got into my network, and manipulated my product, and then took the compute stack out at a Silicon level. Extinction level event, right? Material risk. I know I've oversimplified it but I think if people think that way, it's the survival thing. You can live three minutes without air, three days without water, but three weeks without food.
In the context of the government and outside of very specific communities like the military, special forces, Intel operations, things like material risk are just not concepts that most of the federal government focuses on. Obviously, if you're a regulatory agency and you're all about food safety, you may really focus on that. But at the macro strategic level, it is difficult to recall any conversation where this kind of concept of material risk was brought up and discussed. And I think there could be a lot of value in trying to inject some of these ideas into how the executive branch in particular thinks about its risks around cybersecurity, data integrity, data availability, and the like. It'd be nice to find a way to inject that concept into a dialogue and say, "Okay, stop thinking about the way that you like to articulate how you approach these issues. And tell me about it from a material risk standpoint. Tell me what would be an existential event for the Department of Health and Human Services in terms of cyber."
Well, I mean, you look at it and you go, "The OPM breach was an existential threat that they weren't properly managing." Right? Yet the implications of it were absolutely material.