Cyber Risk in Business Speak

Table of Contents

Introduction

I got a video suggestion from an early cyber mentor that helped me cross over in 2020. He says:

“I think a lot of techie's would appreciate from your background how to communicate risks 'in business speak'. Aligning to corporate goals, being data driven and not falling in the fear, uncertainty and doubt trap.”

Alan

That sounds awesome, so I'll take a first step today, by sharing a technique to bridge the perspectives of Sales where ABC stands for Always Be Closing, to Cybersecurity where ABC stands for Always Be Cybersafe.

I came up with this technique myself, but have since seen others doing it in the wild and having success with it to advance their security programs. It’s to put a dollar value on the customers who have asked for any form of security assurance. And then when you need budget, headcount or work cycles from other departments to reduce cyber risk, this top line number might be all Finance or the business needs to give you a green light, without drilling down to those challenging budget conversations about cost of a breach, blinky light technologies and Advanced Persistent Threats.

Step 1: Make a list of customers who have asked Sales reps in the field about your cybersecurity controls

How do you make that list? Well hopefully you’re in their workflow, to review contracts that have security control requirements, before they are signed.

Once you’re in that workflow, make a ticket every time for tracking. Or a spreadsheet log, or do something in Salesforce and this will be an input to your list. Same with security questionnaires. Same with requests for ISO27k, SOC2 or other compliance.

Step 2: Call Finance or Sales Ops

When you have that list of customers ready, call up your Finance or Sales Ops business partner And say hey, I need a Salesforce, Tableau or power BI report, that puts a dollar value every month, on this list of customers that I’m going to keep up to date

I’m coming to you with this request because I know that you don’t like shadow reporting, the same way I don’t like shadow IT. And I know we’re laser focused on revenue and this report is going to help with that

I hear that ACV annual contract value is a good metric for this customer assurance reporting, but I know ACV is renewal focused and maybe you’d prefer a new logo emphasis with opportunity value - I’m open to whatever metric you think is best - but it needs to have a dollar sign

If you can please make the first report, I can keep it up to date and I won’t need to bug you again.

And then they’ll send you the data and it’s probably going to be a real time dashboard in your browser.

Step 3: Make Your Report

Here’s a mockup of how you could put an insightful report together based on the data:

Customer Assurance ACV

As at <insert date>

Customers that sent Security questionnaires

  • 12 accounts with $5M Annual Contract Value

Top 3

  1. Puppies.com

  2. McDonald’s

  3. Shell

Customer’s requesting SOC2 compliance

  • 20 accounts for $20M

Top 3

  1. Procter & Gamble

  2. Google

  3. Netflix

So that’s the idea. Give it a shot and let me know if you have any questions. Of course feedback is welcome. And of course this technique is far from comprehensive.

More Comprehensive Cyber Risk Reporting

Getting into more comprehensive risk reporting, I like Kip Boyle’s Summary Scorecard from his book and courses.

His company Cyber Risk Opportunities uses the NIST Cybersecurity Framework to give scores to each function, Identify, protect, detect, respond, recover. And that’s an aggregation after evaluating more granular outcomes within each function.

  • Everything has actual, target and variance

  • Summary table in the top left

  • More detailed diagram in the bottom left

  • And then on the right: Top 5 risks

  • And projects to address those risks as a function of business value and cost.

He’s got a recent podcast on this topic:

They talk about how the tricky thing being a CISO, is that the metrics they have that are easily measured, don’t matter. And then the metrics they want, either can’t be measured or they they just can’t get. And then they offer practical tips from their decades of experience.

I’ve got lots more to say on this topic from my accounting and business administration background that I’ll save for another day.

For now let’s end it here. Thanks for reading. Be safe, be well.