The energy was at an all-time high at Black Hat this year, with many innovative ideas but also practical discussions on taking advantage of a new generation of solutions—most powered by AI, such as the ability to more effectively tie cybersecurity spending to business metrics.
For a long time, CISOs never had to discuss the return on dollars spent explicitly, but like any other function, tough economic times bring the mantra of doing more with less or doing more with the same.
Here are some of the most enlightening comments and discussions about cyber risk management from the DeNexus team (Denise Sova, Sean Costa, and Chris Patteson) during Black Hat.
Several CISOs at manufacturers or companies with industrial environments told us that they’ve been made responsible for OT cybersecurity. It is a major shift in responsibility. A good place to start is to gain visibility into cyber risk, building a risk registry but also taking a business view on the cyber risk faced by the organization.
Common or interesting statements heard from CISOs about OT cybersecurity:
“We need to identify and prioritize vulnerabilities within critical infrastructure.”
“We need to justify cybersecurity investments to the board and stakeholders.”
“Cyber risk quantification tools should integrate with both IT and OT systems to provide a view of the organization’s risk landscape.”
“Prioritization and where to spend the next security dollar is always challenging.”
“We need to bridge the work we are doing with our ISO and NIST assessments into financial priorities and justification for projects that improve our posture.”
Risk management isn't just about spotting threats—it's about making smart choices on which risks to tackle, transfer, or live with while staying compliant and effectively communicating our cybersecurity investments and budget needs to the board.
Black Hat is an industry event with peer networking and many sales activities. Nothing has changed, and CISOs heavily rely on word-of-mouth and peer recommendations to make buying decisions. The old mantra of “people buy from people” is still valid. Our goal was to talk firsthand with CISOs at Black Hat, and it’s been refreshing to hear how open they are about talking about their challenges. They need help, especially elevating cybersecurity to a business-level topic.
Top takeaways:
We continue to see a shift towards risk-based cybersecurity where cybersecurity teams start to focus on the business impact of cybersecurity (or lack of) and strategize to address first and foremost the
If you haven’t started yet, now is a good time to evaluate your cyber risk in dollars, not in the number of CVEs or other scoring and technical metrics that your executive peers or your board won’t comprehend. You need business metrics such as Value at Risk and risk Reduction (in dollars) attached to every investment or risk mitigation project.
Here is a link to an output example from DeNexus https://www.denexus.io/resources/ebook/executive-report. Please contact us to review how we can help you quantify and better manage your OT cyber risks.