Alex Yampolskiy, CEO of SecurityScorecard, said Chief Information Security Officers need to become more proactive and speak in business terms amid boardroom pressure, budget cuts and new threats.
Yampolskiy, speaking on DisrupTV, outlined the new landscape for CISOs. SecurityScorecard provides security ratings across 10 risk factors, provides insights and assessments and quantifies cyber risks. Yampolskiy appearance on DisrupTV came as the 2023 Verizon Data Breach Investigations Report found that 24% of all breaches involved ransomware, 83% of breaches involved external actors and 19% involved internal actors.
Here's a look at the key cybersecurity themes from Yampolskiy.
Cybersecurity is a boardroom issue. The Securities and Exchange Commission (SEC) has proposed cybersecurity disclosure rules that would require companies to disclose any type of cybersecurity incident within four days. "This disclosure of cyber incidents is much faster than before, so I think it's going to be wake-up call for a lot of boards," said Yampolskiy.
Why KPIs matter. Yampolskiy said KPIs on cybersecurity are critical, but undeveloped. "I think security has always been subjective and that's a problem," said Yampolskiy. "With cybersecurity people think they are safe but aren't. KPIs quantify risk and even if you don't agree with them at least you know you can improve what you can measure."
Cybersecurity has to be proactive. "If a company has to wait for regulations to worry about security they're already in trouble," said Yampolskiy.
Compliance doesn't equate to security. Yampolskiy said compliance and cybersecurity practices overlap in areas but aren't equal. "Fully compliant doesn't mean you're fully secure," he said. The intersections of those concentric cybersecurity and compliance circles are where attacks can happen, said Yampolskiy, who added that there should be a continuous improvement approach to cybersecurity.
Advice for CISOs. Yampolskiy is a former CISO and acknowledges that the job is stressful. "CISOs frankly have an awesome amount of responsibility," said Yampolskiy. "It's an incredibly stressful job." His advice for CISOs:
- Speak the language of the boardroom. CISOs have to save budget while trying to secure data that is proliferating by the minute. CISOs need to speak in terms of ROI and financial impact. "The No. 1 thing CISOs need to do is communicate in the language of boards. Don't spend a lot of time on technical terms, but make sure the board knows the risks and the financial impact," said Yampolskiy.
- Position cybersecurity as an enabler of transformation instead of a cost center. "A lot of CISOs say no a lot and have a negative perception as a cost center and do not get a seat at the table," said Yampolskiy. "Position yourself as somebody who enables the board to conduct more business and earn the trust and credibility of your customers and drive more revenue growth."
- Quantify risks. "Have a set of objective KPIs that you can measure and quantify risks," said Yampolskiy. "Then you can show the board your plan, show how your industry is doing and how competitors are doing."
Be proactive not reactive. Yampolskiy said CISOs can't sit around waiting to be attacked. You have to assume that the adversary has already got into the environment.