With the rising importance of cyber security to the bottom line and reputation of every company, it has now become a board level issue. CISOs are being asked to report their organizations’ cyber security and risk posture in a meaningful, consistent and understandable way, so that the board can make informed decisions.
Risk Fabric bridges the boardroom gap by using actual financial impact statistics to explain cyber risk. Board members want to see the potential financial loss if an asset were compromised and what actions were taken to decrease that loss value. Boards speak the language of financial impact and can make intelligent cyber risk decisions based on actual value at risk metrics. With Risk Fabric, the board can understand and make decisions about the organization’s cyber risk posture, just as they understand and rely on the quarterly financial statements presented by the CFO. The platform provides a top down consistent view and metrics that can be tracked every day by those in the security and risk organization, ensuring alignment from the front lines to the board.
Many cyber security and risk organizations in large enterprises are still producing their board reporting in the same way that sales and finance used to produce their financial reports. Data is extracted from numerous operational systems, loaded into spreadsheets and then manually manipulated until the numbers line up. Just as in other critical operational areas of the enterprise, cyber risk and security organizations are now being asked to provide quantitative metrics, produced using an automated, rigorous and consistent process. Just like a balance sheet or income statement, cyber risk metrics presented to the board need to represent the same underlying data each and every quarter, so that changes can be presented consistently.
Risk Fabric provides automated scorecards, generated from the same cyber risk data used by the security, IT and operations teams. Detailed operational data is integrated into a common model, traceable from top to bottom, that can be rolled up to produce understandable risk centric scorecards, even for non-security practitioners. For example, the risk centric scorecards include critical performance trends for regulatory assets, application risk and vulnerability ratings, and security awareness trends versus actual user behavior.
Everybody is trying to achieve the same goal – protect the enterprise. Investigators and vulnerability management teams need a list of the threats and vulnerabilities that need to be addressed, prioritized by severity and potential loss impact. Operations needs to identify gaps in coverage and how their organization is performing in remediating threats and vulnerabilities. Executives require a top down perspective that highlights their greatest risks, potential financial loss tied to those risks, and how well the enterprise is being protected, so they can drive strategic and tactical improvements. Finally, Boards of Directors require a quantitative risk scorecard that enables them to understand the lay of the land, so that they can make informed decisions and provide appropriate guidance. The end goal for each of the stakeholders, whether it is the IT team, line-of-business leaders, C-suite, or the boardroom, is understanding the financial impact of their risk level, what needs to be done to reduce that potential loss value and therefore reduce risk to their organization.