Good point. Talk about money and the board listens…:
[…] So Rettas asked, “What do you think executives and boards want to know about cyber risk when they talk to the CISOs of these organizations?”
According to Vescio, it boils down to two components:
- They’d like to understand on an annual basis how much loss should be expected from cyber incidents or cyber peril. This could be related to data breaches, ransomware, denial of service interruption, etc.
“Ultimately I think that if they could take all of the vulnerability metrics, and incident response metrics, and other metrics that are typical, and translate that into some expected value (we expect to lose $13 million or $15 million or $20 million on an annual basis due to cyber incidents), I think that’s one big question that they’re looking for an answer to,” Vescio said.
- When something bad happens, then what does that really mean to our organization? What does it mean in direct costs, and indirect costs and opportunity costs like brand damage? And are we talking about something that is catastrophic as in we could lose our entire business, or something that’s highly damaging as in it could be worth hundreds of millions, if not billions, of dollars in damage to our organization, or something even less than that?