In our recent LinkedIn poll, we asked security leaders, “What keeps you up at night?”
Here is the result of our poll:
It’s no surprise most poll respondents are concerned with being blamed for an attack. Being a cybersecurity leader today is a very stressful job.
In the late nineties to the early aughts, the notion of digital transformation was a luxury rather than a necessity. Communicating cyber risk to the C-Suite in a meaningful way wasn’t a top priority. And preventing cyber-attacks was treated with a medieval attitude. Back then, success was measured and rewarded through a very simple yardstick: the best-built fort wins. In essence, whoever had the biggest and baddest system of protection won the battle against cybercriminals, fraudsters, and others with malicious intent.
And no news was considered good news.
Things have changed so rapidly these past few years. And the state of cybersecurity has shifted. It seems that even before the global pandemic, threats started morphing into unpredictable shapes and sizes. And cybersecurity leaders are sleeping much less these days because of this increased uncertainty. Given the number of high-profile breaches and security incidents these past few years, it seems we are battling an amorphous and highly educated enemy. It has advantages on many fronts: from technology, information, economics, and education. Simply protecting against threats seems to be an exercise in futility that no longer results in obtaining a confidently quantifiable security outlook. Hence, the blame game when an event happens and security leaders are subsequently questioned by the C-Suite and the board of directors. To be a fly on the wall, you may hear the following statements:
“Your team didn’t do enough.”
“Why was this not prevented?”
“Why is the impact so significant?”
“It’s your fault.”
How to avoid being blamed for an attack
To avoid blame after an attack, cybersecurity leaders need to understand their biggest potential risks so they can make plans and wise investments to address them. This shift in thinking is proactive rather than reactive, and cyber risk quantification often comes to mind as the solution.
Quantifying cyber risk is an immensely valuable experience for cybersecurity leaders and risk leaders. It is an opportunity to examine cyber events that could happen closely and their impact on the organization. Inevitably, this leads to changes in the organization’s control environment, so not only does it provide a better understanding of the risk, but it’s also a valuable way to identify improvements.
Quantification can also be a confronting experience for a cybersecurity leader at first. A control would need to be missing or fail for almost any cyber event to occur. So, exploring the susceptibility of the organization to a cyber event type can make the cybersecurity leader feel like they need to defend their current posture.
This can serve as a powerful awakening, demonstrating the blame for a cyber incident before it happens.
We once worked with a cybersecurity leader who took a defensive posture in a quantification onboarding workshop. Two years later, we did a second quantification engagement with his company and, his attitude had changed entirely. He kicked off the work with a speech to the participants, saying something to the effect of: “We had Axio here two years ago and have spent the last two years working with the output of that quantification workshop. We’ve added controls to manage risks that we couldn’t transfer. We’ve also altered controls for risks that we can transfer. We’re now collaborating with our insurance team to prioritize our investment and controls based on the kinds of impact that we cannot transfer through insurance instruments to ensure that we’ve got the enterprise adequately protected. Our job in this engagement is to explore additional risk exposures so that my team can continue to optimize our posture.”
This kind of outcome can alleviate the worry of being “blamed for an attack” by enabling the necessary collaboration to identify what risks matter most and take remedial action in a timely fashion.
If you’d like to learn more about Axio360 cyber risk quantification, we welcome you to schedule a brief demo.
One more thing…for those who have snoring pets
The Axio family sympathizes with the 26% of security leaders who are disturbed by their snoring pets. We love our furry friends and have collected some tips to help them and you to sleep more soundly.
- Nightly yoga session with your animal before bed
- Get ear plugs
- Get your pet their own apartment
Happy National Dog Day from Axio!