Let’s talk about CIOs and Cyber Risk

Let’s talk about CIOs and Cyber Risk

In our previous blog, we looked at how cyber risk quantification (CRQ) can help CISOs and their teams to address some of the most pressing cybersecurity issues today. But change requires buy-in, so cross-functional collaboration and communication are vital. In this blog, we are going to look further into the concerns of their fellow C-suite peers.


Chief Information Officers (CIOs) oversee information technology and digital transformation initiatives to prepare the organization for change. Their role is to drive innovation and create revenue-generating ideas for the business. CIOs typically have more of a business background, than IT. While this is great for developing operational strategies, security is not always top of mind. This is where collaboration with CISOs and CIOs is vital. And you guessed it – CRQ is great for helping bridge this communication gap!

So why are some CIOs still hesitant or skeptical about CRQ? Well, here are some of the questions and comments that we’ve heard first-hand:

“How can we efficiently enable security and resilience of our business without hindering objectives?”

CIOs are telling us that they are struggling with how to balance the speed of change with security. They’re honest. You want something fast then don’t go through security, it will slow down the process and cause delays. But picture this, assuming you go ahead without security baked in and something was to come up – wouldn’t it be more expensive to fix it than prevent it, right?

In some ways, security is like insurance. It is an expense. You don’t see the value but it is there to protect you ‘in case’ you need it. With this mindset – it can be easy to pass on security, cut corners or even think ‘it will never happen to us’. This needs to change.

Security is not an obstacle designed to prevent the speed of change. Remember – security is not ‘Doctor No’ (as Jerry Caponera – VP of Cyber Risk Strategies of ThreatConnect says). It is vital that we shift this narrative and demonstrate how programs with security built-in can provide a competitive advantage.  A strong cyber security strategy can help you to achieve business objectives and make you more resilient –  this is why CRQ is so important.

“How can we modernize and accelerate company growth to drive new revenue opportunities?”

When we think about risk, we’re talking about uncertainty and this can be good or bad. Typically with risk, we focus on the negative outcomes so I love that they’re starting to ask this question. Not all risks are dangerous – the right ones are opportunities.

We’re starting to hear from more CIOs the desire to tie security into business value. By tying the conversation together, it makes company growth actionable and consumable all while increasing efficiency.

This enables a CIO to demonstrate how a security budget is helping reduce risks and translate that into business value. In doing so, you can spot opportunities faster, provide greater confidence in plans and improve resilience. This is what will set businesses apart going forward and it’s imperative for CIOs to have this in their skillset.

“How do we correctly size budgets and prioritize?”

CRQ helps you optimize your resources and capital, providing risk reduction where it matters the most. With Cost/Benefit analysis and a clear understanding of the ROI of different scenarios, business leaders can effectively allocate resources. This doesn’t always mean spending more. Sometimes it’s just about putting resources to better use.

In cases where you need to spend more, CRQ allows you to justify your decision. By using ‘What If’ analysis’, you can compare the outcomes of different scenarios and make the best decision. This in itself is extremely valuable as it starts a new type of conversation that wasn’t possible before.

“Security already has many solutions, yet another solution? How is this one going to help me?”

This reservation is understandable. Research by the Ponemon Institute found that the average enterprise is running on an average of 45 different security tools and technologies. Those that have more than 50 solutions in place are 8% less able to detect a cyberattack and 7% lower in their ability to respond.

Going back to an earlier point – if a CIO’s job is to help modernize a business and prepare it for the future, then change management is a must. CRQ allows CIOs to pinpoint exactly what is going to allow them to accelerate their business growth and where to focus their attention. It provides the agility needed to adapt to changing times.

In addition, having a CRQ solution in place can help you understand if your existing investments are providing value. It may help you condense the TechStack – giving you more time to use the tools that are proving their worth.

“Security takes too much of my time already, won’t this increase the burden?”

This is not a quick win. Risk management should always be a longer-term strategy and part of the bigger picture. 

We’re starting to see from a CIO perspective a focus on business value, and this means financial value – the bottom line. For security, this has historically been hard to pinpoint as it is an outlier in this respect. Not any more. CRQ allows you to calculate ROI of cybersecurity spending in a way that qualitative assessments didn’t permit. 

Gartner’s 2022 CIO Agenda Survey found a shift in CIOs – while CIO priorities previously were to improve financial efficiency, they are now seeing a trend towards flexibility and adaptability. Cost-savings may help bulk margins in the short term, but that’s not what’s going to keep the business thriving forever. This is confirmation that rapid response to environmental change is where value will be. It starts with company culture which is not always easy to reform. Luckily CRQ can help with that too.

 

This blog contains only a snippet of our conversations with CIOs so if your concerns have not been covered, please don’t hesitate to contact us! Let us know what is holding you back from quantifying your cyber risks. It’s always so interesting to hear different perspectives and here at ThreatConnect, we encourage those discussions. 

Be sure to look out for my next blog, which will delve into what I am hearing from CFOs. Here are the previous blogs in this series:
Key Drivers Accelerating CRQ

Let’s talk about CISOs and Cyber Risk Quantification

Sawsan Hamawandy
About the Author
Sawsan Hamawandy

Sawsan is the EMEA Demand Generation Manager at ThreatConnect. Her interest in cyber risk management has led her to speak and write about how organizations can future-proof their strategies using insights gained first-hand from clients, prospects and partners. She began her career in cybersecurity at an MSSP in London then transitioned to a GRC vendor - where she helped large organizations including United Nations, Telkom SA and MOD.