How do you define a security threat? If you’re like most IT security professionals, your security threat definition is probably: “The potential occurrence of an attack against an organization’s infrastructure and assets.”
If this was a pop quiz, you could get half credit for that answer. It’s partly true, but it’s not the whole answer, and it’s not the answer your executive leaders and board of directors need to hear.
Christopher Armstrong, CISO of Livermore, Calif.-based Allgress Inc., popped this quiz on the audience during a business risk session at SecureWorld last month, and almost everyone gave the IT-centric answer above. But Armstrong made a strong case for changing our perspective when we talk about security threats.
When you talk to a CEO or a board member about the threats to his or her organization, Armstrong said, there’s no need to go into great detail about the type of attack that may occur, the motivation of the attacker, etc. All he or she really wants to know is: What will it cost us? And, what’s the probability it will happen?
Telling the CEO or the board that a widespread threat could steal your sensitive customer data isn’t likely to get you the funding you need to stop that threat. But tell them the threat could cost the organization $10 million and there’s a 50% chance it will happen, and they just may open the checkbook for you.
By looking at security projects from a board member’s perspective, as well your own infosec perspective, you’re more likely to get the resources you need to advance your security initiatives.