Addressing Cybersecurity in Your Budget: What Your C-Suite Must Know (Part 1)

At the centre of annual budget negotiations are spending priorities, and what should be at the top of your list is how to safeguard your business against cybersecurity risks in the most cost-effective manner. To gain the executive suite’s attention, your focus must be on real business risk, and your budget proposal must be engineered to address this important issue.
Enter the Business Heat Map. Speaking in layman’s terms, your presentation should not be too technical or ridden with geek-speak as to maintain the interest of your executives.

Typically, a Business Heat Map identifies the Top 10-15 business risks to the company on a grid; an easily digestible graphic. Working on two axes, the X-axis shows how likely the threat that causes the risk will actually happen, usually presented as a range from “Remote” to “Almost certain.” The Y-Axis presents the impact to the business if it does happen, presented as a range from “Very Low” to “Material” impact.

It is imperative that potential cybersecurity threats make that Top 15 list; frankly, your budget isn’t complete without considering such business risks. Your C-Suite needs to address cybersecurity with the same seriousness as they would pending lawsuits and M&A Activity.

Communicating cybersecurity as a risk to your C-Suite

Through a Risk Heat Map you can demonstrate all of the cybersecurity risks that you and your team are tracking. In the interest of your executive audience, make this budget discussion as brief albeit informative as possible; you’re not trying to present 1,000 potential ways that an adversary can get into the network, you’re simply trying to educate the C-suite on who the adversary is.

Start by putting the most likely cyber adversary motivations on the heat map:

  • Cyber espionage
  • Cyber crime
  • Cyber hacktivism
  • Cyber terrorism
  • Cyber warfare
  • Disgruntled employee

An “insider threat” sits under a number of these motivations, but add it separately on this list.

Where you place these adversary motivations on your Heat Map is dependent on your business sector. A financial institution, for example, might place cybercrime high and to the right on the heat map, whereas a manufacturing business might have it low and to the left.

It’s helpful to provide at least one real world, preferably recent example of each of these adversary motivations to show what the cost was to the business. For example, in 2008 a disgruntled employee at Steven E Hutchins Architects destroyed seven years of customer data in addition to backup data. The company’s insurance claim stipulated this attack cost Steven E Hutchins Architects an incredible $2.5 million. Rather than investing in a recovery strategy in the event of cybercrime, businesses should concentrate on defending their infrastructure first – it’s a more cost and time effective process, and requires less labour to implement and maintain.

The cyber adversary motivations that migrate to the top right of your Cyber Risk Heat Map are the risks you are trying to reduce. When you put Cyber Risk in the Top 15 of the overall Business Heat Map, the cyber adversary motivations that are in the top right of the Cyber Risk Heat Map are what you are referring to.

Safeguard your business now.

Cirrus Networks is hosting ‘Breaking the KILL CHAIN – Lunch and Learn’ – Perth, May 21.

Learn how to combat cybersecurity invasions by employing just nine basic patterns. In conjunction with leading enterprise security company Palo Alto Networks, Cirrus Networks will not only show you how to identify the “kill chain”, but how to break it and ensure the future safety of your company. This is one event your business cannot afford to miss.