Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

Putting the business impact of cyberthreats on the board agenda

By Paul Bayle, Head of Security and CSO, Atos

Increasingly, the cybersecurity strategy for an organization must be baked into its business strategy to ensure that it can manage an increasingly complex digital environment.

Investment in security is vital for an organization, not only for maintaining security and trust of customers, but providing a competitive advantage and enabling long-term growth through secure digital transformation. Giving the board the right information at the right time is paramount in keeping cybersecurity on the agenda as a business benefit, rather than a cost.

Knowledge is power – inside and out

The conversation around budgeting for digital security must demonstrate a complete knowledge of the digital environment. This can be complex in large and distributed organizations where shadow IT and shifts in working arrangements may have changed the landscape incrementally. An understanding is needed of:

  • The business imperatives
  • Plans for the future
  • Digital perimeter and assets
  • Processes and people

This is not a straight-forward task, but shining a spotlight on how much there is to protect and the full scope and scale of the job at hand is essential.

Build a story that speaks to the board

Once this is established, it is time to look outside of the organization and ensure board awareness of the increasing rate of cyber threats. This can be achieved through regular reporting across competitors and the landscape. A regular feed of information on attacks and consequences – both reputational and financial – can help those who are not involved in security to understand the prevalence and level of business risk involved. Indeed, security metrics used by security practitioners (such as vulnerabilities or number of incidents) do not often speak to the board, as it is difficult to see their impact on the business.
Board interest centers around benchmarking security metrics with peers: How does my organization’s security compare to peers of similar size and in the same industry? including benchmarking security spend as a percentage of IT budget, peer comparison on average incidents
per high value assets, and peer comparison on average critical vulnerabilities per asset.
There is also growing recognition at the board level on criticality of response. As an example, the speed at which a business unit can be restored back to normal operations
after a security incident or breach is a high value metric at board level. Investments and initiatives towards decreasing the time to bounce back to normal operations and lower business loss due to faster restoration is gaining high traction at board level in the context of the ever-increasing ransomware threat.
This information can be used to build a story that identifies the risks at the perimeter and the ways in which an organization is vulnerable. Ensuring this information is presented through business-driven metrics will enable buy-in. Aligning security metrics with Balanced Score Card methodology is an effective way to communicate to the board. Metrics that reflect the four areas of Balanced Scorecard (including financial, customer, operational, learning & growth) are simple and meaningful. From here, a plan and an appropriate budget can be formulated and the exercise is transparent and easily understood by all stakeholders.

What is the appropriate budget?

The issue for CISOs is that this question has no easy answer, the amount you could spend on security is almost limitless!
Even the most protected organizations could still have vulnerabilities, and an important balance must be struck between risk and reward. They must ensure that all known threats are covered and, importantly, that there are appropriate controls in place to detect threats before they become an issue and protect the organization from them.
Although organizations share more than before on cybersecurity incidents, there is still reticence to disclose or talk openly about them. However, more transparency from organizations on the costs they have incurred from security breaches would be a helpful indicator on the level of budget that should be allocated for security. Public agencies such as the European Union Agency for ybersecurity (ENISA) could support the private sector with this by collecting and anonymizing data.

External forces

Increasingly, legislation and regulations are forcing accountability for digital security up to the board level. Securing personal data and maintaining the security of critical infrastructure are public and private sector concerns with fines from authorities for any failure to secure data.
Insurance companies are also becoming wise to the potential costs from security issues and increasingly need to see detailed plans for cybersecurity to underwrite risk.
The bottom line is that organizations cannot sit still on this issue. The board needs to be kept informed of risks on a regular basis and understand that security is evolving quickly. Following numerous recent and successful ransomware attacks, threat actors have access to money and are extremely smart. Keeping up with them requires ongoing work, dedication and, importantly, investment.

Share this Page

By Paul Bayle, Head of Security and CSO, Atos

Email Paul about this article