Managing Cyber Risk – The New Mandate from the Corner Office

Robert Huber


Cybersecurity ranks as one of the top five concerns for directors of public companies, alongside business model disruption and changing world economic conditions.1 With destructive breaches splashing across the daily news, one truth rings clear around the executive table: Cyber risk impacts enterprise risk management.

Tenable is committed to helping security leaders manage enterprise risk by minimizing their cyber exposure gap and maximizing opportunities. Cyber Exposure is an emerging discipline for measuring and managing cyber risk across the modern attack surface, and is the new critical risk metric for aligning Cyber to business outcomes. Read more

In order for security leaders and their teams to quantify and measure cyber risk alongside every other business risk, they need to confidently answer these critical questions:

  • Where are we exposed?
  • Where should we prioritize based on risk?
  • Are we reducing our exposure over time?
  • How do we compare to our peers?

Distilling risk and translating it into business terms means that security leaders and non-IT executives need to collaborate closely to create leading risk indicators that influence business decision making. A recent Gartner report highlights key recommendations you can take now to get started creating these critical risk metrics that resonate with both non-IT executives and boards of directors.

You can learn more about this below, and begin to close the Cyber Exposure gap across your modern attack surface today.

Robert Huber, Chief Security Officer, Tenable

12017–2018 NACD Public Company Governance Survey

Tenable, Inc.

Tenable: Providing the Industry’s First Cyber Exposure Platform
The stakes have never been higher for understanding cyber risk, and the challenges never more daunting. The expanding attack surface has given rise to an unrelenting barrage of vulnerabilities, making it harder to see the few that matter most. The result: an ever expanding cyber exposure gap that increases the chances of a business-disrupting cyber event. As CISOs are being asked to quantify their organization’s cyber risk and compare it to industry peers, they lack an effective way to measure and communicate this data to the CEO and Board. Tenable offers the world’s first Cyber Exposure Platform that eliminates blind spots with the industry’s most comprehensive visibility into traditional and modern assets, such as cloud, mobile devices, containers, web applications and industrial IoT. CISOs can now be armed with the answers to questions their Boards are likely to ask regarding measuring, managing and quantifying cyber risk.

Quantifying Decisive Security Metrics to Determine Overall Cyber Exposure
The unsettling truth? Cyber vulnerabilities and exploits are discovered daily Even worse: Once an exploit goes public, the vulnerability’s risk factor transforms from hypothetical to real. Tenable Research analyzed the 50 most prevalent vulnerabilities over a three-month period. They discovered an alarming truth: Attackers are in the lead. In fact, they have a 7-day head start. The research indicated that for 76% of analyzed vulnerabilities the attacker had first-mover advantage – emphasizing the criticality of proactively and holistically analyzing and measuring Cyber Exposure across the entire modern attack surface. Live visibility is not only a foundational element of cyber hygiene but also is the only way for organizations to flip the advantage to the defenders across the majority of vulnerabilities. Download the Tenable Research report now to get recommendations on how to reduce the attacker’s 7-day window of opportunity.

Boosting Cybersecurity ROI with a Risk-Based Approach
How should CISOs prioritize based on risk? Reducing the massive universe of vulnerabilities down to a subset of the ones that matter most to your organization is a good place to start. This ebook explains the most critical elements required for CISOs to gain a clear outlook on their organization’s true business risk and realize higher ROI on cybersecurity risk management programs. Read more here.

Case Study: Transforming Vulnerability Data into Actionable Insights for Stakeholders
Stone Pagamentos expects to stay a step ahead when it comes to vulnerability discoveries and industry best practices. By choosing Tenable as its strategic business partner, they gain visibility into cyber risks and can report to all stakeholders on cyber exposure, helping facilitate decision-making and impacting ROI. Learn how here.


Develop Key Risk Indicators and Security Metrics That Influence Business Decision Making

Paul E. Proctor, Jeffrey Wheatman, Rob McMillan, Srinath Sampath

31 July 2018

Many risk metrics presented to non-IT executives and boards of directors are ineffective. Security and risk management leaders should work directly with non-IT executives to create leading indicators that influence business decision making.

Key Challenges

  • Security and risk management (SRM) leaders struggle to create metrics that resonate with non-IT business decision makers.
  • SRM leaders are challenged to effectively leverage their relationships with business decision makers because of poor metrics.
  • Non-IT business decision makers often don't know what they need from risk and security professionals.


Security and risk management leaders focused on maturing their information security management program should:

  • Work directly with non-IT executives to better understand the major recurring decisions they make, and the key performance indicators for which they are accountable.
  • Create metrics that are leading indicators with defensible causal relationships to business outcomes.
  • Select metrics that resonate with an executive-level audience by abstracting the operations- and technology-focused metrics.
  • Highlight the recommendations or decisions to be made by non-IT executives.

Strategic Planning Assumptions

By 2020, 90% of IT risk and security organizations will report metrics to non-IT executive decision makers (up 10% from 2015).

By 2020, only 25% of the metrics reported by IT risk and security organizations to non-IT executive decision makers will be considered useful by the target audience (up from 1% in 2015). [...]