Elevate Risk Management Reporting

Every executive has to justify their organization and spend.  The CISO role has unique challenges in justifying theirs. High impact events with low probability need to be modeled appropriately to drive an effective conversation with boards, investors and fellow executives.

We can visualize the impact of controls, as long as we have some theory on how it will help mitigate risk.  For example:

Risk_Register = [

        {"label": "Ransomware", "low": 200000, "high": 2000000},
        {"label": "BEC",        "low": 50000,  "high": 400000},
        {"label": "DDoS",       "low": 20000,  "high": 150000},

If we think some new controls, perhaps a larger insurance policy, implementation of privileged access management or getting an incident response retainer will reduce risk, we can derive a new set of ranges

Risk_Register_New_Controls = [
        {"label": "Ransomware", "low": 200000, "high": 1000000},
        {"label": "BEC",        "low": 30000,  "high": 300000},
        {"label": "DDoS",       "low": 20000,  "high": 100000},

Now when we present to the board on what security is doing we can show meaningful downward pressure on potential risks in the environment.
RansomwareLEC-1

Recent Posts

About

Blaine Connaughton is an accomplished security and risk management professional based in Boston, MA, with significant expertise in serving healthcare and technology enterprises. Blaine specializes in applying advanced statistical risk methodologies and has held security leadership roles across health technology, medical device, and cybersecurity organizations. His career experience also includes marketing technology consultant, mobile application development, and probabilistic risk assessment for critical infrastructure, including the nuclear energy sector. Blaine holds a Bachelor’s degree in Physics from Worcester Polytechnic Institute (WPI).

Modified headshot