Qualys hat dies direkt geteilt
Chief Risk Technology Officer @ Qualys | xCISO: Twilio, GE, LendingClub | Author: How To Measure Anything In Cybersecurity Risk etc...
A defeated CISO sighed, “Am I a glorified purchasing agent?” He was bemoaning the “rinse, wash, repeat” budgeting cycle… Where CFO’s reluctantly release capital to security…. With a “vague sense of moral obligation.” What the CISO wanted… Without saying it or realizing it... Was to work collaboratively… From a shared objective of “Protecting the business from material impact.” If he said that to the CFO, the CFO would likely smile and say, “Motherhood and apple pie…thank you for stating the obvious!” Material impact, while borrowed from the SEC… Equates here to losses large enough to matter to stakeholders… They are plausible losses that could derail business objectives… (And most certainly would find they were on your form 8-K) The question for our CISO now is…how do we do this...how do we collaborate on business terms? Sun Tzu (author of The Art of War) must have had a CFO He said, “Tactics without strategy is the noise before defeat.” Over a thousand years ago he knew Defenders and Financiers must be aligned… But whose job is it to fix this “strategic misalignment?” The CISO. Why do I say that? It’s our job to meet “the money people” on their terms… You simply can’t force the CFO, board, eteam, and business stakeholders… Onto your terms and tools… That’s backwards… It’s what created the problem in the first place... Leading to CFOs with “a vague sense of moral obligation” . Now I am going to say something quite unpopular Cyber Risk Quantification (CRQ) should have been “the practice” for doing all of the above. Unfortunately, the way it's presented creates more distance. It puts the cart before the horse… Actually, it’s all cart...no horse. The good news is that if you are fully operating from the “Sun Tzu” mind set… And are committed to meeting the business on their terms and their tool chains... 100% focused on their objectives… Then a CRQ solution could really help... But with the wrong point of view… It’s another tactical purchase by a glorified and unfulfilled purchasing agent. If this line of reasoning interests you…. I have added a link to an article published today by the fine folks at The Stack Also, stay tuned for freemium regional and online trainings.. #CISO #CFO #CRQ #cyberriskquantification