Better Understand Your Company’s Appetite For Risk
The CISO’s main job is to drive the organization’s cybersecurity culture and manage its risk tolerance, asking, “Do I have unmitigated risk that exceeds the risk appetite of my firm?”
Although sophisticated hackers and AI-powered cyberattacks tend to dominate headlines, human error remains the largest threat to organizations, accounting for roughly 88 percent of cyber incidents. CISOs must understand the organizations they work for, gaining a clear picture of whether observed or potential risk exceeds the company’s risk appetite.
They can start by asking questions: Are employees participating in risky IT behaviors? How comprehensive and successful is our awareness training program?
Humans are the weakest link in the chain, so it’s critical for organizations to take a human-centric approach to mitigating the risk of AI and other cyberthreats.
Here are Four Steps to a Human-Centric Cyber Framework
CISOs should consider AI-based risk an additional layer within their human-centric decision-making process and build it into the following four-step framework:
- Quantify your risk. Make the failure scenarios affecting your organization quantifiable from both a business and a cybersecurity perspective. It’s critical to stay focused; not every risk can be mitigated to zero. For a business to operate, it must balance security and convenience, not security and insecurity.
- Maximize your controls. Invest in best-of-breed security controls and awareness training, ensuring their impact is maximized. Requiring awareness training for every employee, for example, helps eliminate plausible deniability. Employees can’t claim they didn’t know to avoid suspicious links or that there was a gap in the business’ defenses. Leverage your ecosystem of controls to share threat intelligence and create more resilient and robust defenses.
- Reduce your attack surface. Across people, processes and technology, do as much as you can to fortify the human firewall and minimize threats. Multifactor authentication, effective vulnerability management and getting the basics right are key. Don’t worry about zero-day attacks when you’re still struggling to patch critical issues in a timely manner. By maximizing your controls as mentioned above, you’re well on your way to achieving this.
- Get the right stakeholders engaged. Connect cyber risk to business outcomes to earn funding and executive support. This involves learning the language of the stakeholder to effectively communicate risk in terms that resonate with your audience.
Targeted storytelling applies beyond the C-suite: Before driving change, CISOs must understand who in their organization will be most affected. Have those people acknowledge that there’s a problem, then involve them in solving it. That way, they understand why multifactor authentication or security pop-ups are important, not an unnecessary burden.