How to align cybersecurity investment with your business risk
Many CISOs can probably relate to the old saying “half the money I spend on advertising is wasted; the trouble is, I don’t know which half”. Investing in cybersecurity controls, without the help of quantifiable data, means they are often unsure where to target their investment most effectively.
To address this, C-Risk has launched a three-part series of webinars, aiming to share best practice on how to factor IT security control performance in order to calculate cyber risk in financial terms.
When organizations have a better understanding of which controls give the most value, they can make more informed decisions about reducing their risks and minimizing outages or loss events. This way, they can align security investment more closely with business assets that are most at risk.
Identifying investments
The guest speaker at the webinar was Jack Jones, an authority in cyber risk management who created the FAIR standard, and who currently serves as chief Risk scientist at Risk Lens. “Organizations absolutely need to be very good at identifying where they need to be spending their time and effort,” he said. “If an organization believes it should be investing in encryption, multi-factor authentication or a SIEM solution, or whatever the case might be, it’s their responsibility to understand whether that’s a good investment or not.”
The webinar looked at the role of FAIR (Factor Analysis of Information Risk), an independent standard for quantifying and managing information risk. This has generated a lot of excitement and anticipation within the risk management community, according to Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter.