The CISO Hotseat: Managing cybersecurity risk


By Jonathan Trull, CISO, Qualys

Governments worldwide are starting to make significant moves to defend against hacking gangs. But even with the heightened focus on protecting digital assets, bad actors have a head start, and organizations are still reporting unease in their ability to ward off ongoing threats.

Today's organizations face increasing numbers of catastrophic breaches, internet-shaking vulnerabilities, nation-state backed attacks, and a severe rise in ransomware. Recently, Verizon's DBIR 2022 reported a 13% YoY increase in ransomware (a rise as big as the last five years combined) and exploitation of vulnerabilities as a top vector attackers leverage to gain a foothold in organizations' environments.

No matter the difference in size, geography or industry, managing cyber risk is the number one job for today's CISO. But with limited visibility, disparate tools and point solutions along with time-consuming manual processes, security teams are struggling to keep up and spending an inordinate amount of time managing threats.

With this, cyber risk has become a regular topic in the boardroom with more than 50% of quarterly board agendas including the CISO. Why? Recent catastrophic attacks and an influx in threats have underscored that cybersecurity is a bottom-line business – with the average cost of a successful cyberattack rising from $3.86M to $4.24M in 2021.

CISOs are in the hot seat for reducing cyber risk. They must figure out how to adopt risk-based methodologies that allow cybersecurity technologies, processes and people to converge and collaborate. These risk-based methodologies are prescribed by everything from industry mandates and government regulations to financial audit standards. CISOs must juggle these while simultaneously achieving strengthened cyber defenses and maintaining continuous compliance. And that's not all. They must then clearly report status and updates to the board to prove the success of security controls against internal objectives and industry benchmarks.

So how can CISOs sit in the hot seat without getting burned? To manage cyber risk they must:

  • Assess risk by gaining visibility and control over all IT assets in your environment. Effective attack surface management starts with a thorough threat assessment.
  • Reduce risk by consolidating siloed security tools into a unified platform with automation capabilities for risk monitoring, detection and remediation. Assign actionable steps to reduce risk across security, IT or compliance teams leveraging their system(s) of choice – e.g., ServiceNow or Jira.
  • Achieve risk control by laser focusing security and IT teams on the vulnerabilities that matter most in your unique environment to reduce your company's exposure.
  • Report risk via automated dashboards with clear, risk-defined metrics against industry standards.

Cybersecurity entails mitigating several categories of risk – posed by standalone software applications, integrated technologies, human error etc. It is critical for today's CISO to adopt a framework that drives cyber risk reduction with automation, evaluates program effectiveness and helps to clearly communicate to the board.

Sustaining Partners