Erik Blomberg
CSO
Handelsbanken
MODERATOR
Stefan Jäschke
SVP & Head of Enterprise IT Security
Volvo Group
PANELIST
Petri Ala-Annala
CISO
Nobia
PANELIST
Maciej Wlodarczyk
Information Security Officer
Sanoma Media Finland
PANELIST
MARCH 2023
In today’s cyber threat landscape, measuring and communicating security risk is integral to reducing an organisation’s vulnerability to attacks. However, low quality and availability of data can impede the CISO’s ability to communicate risk levels to other lines of business. It is therefore critical that CISOs focus on sourcing and communicating the right data to provide a comprehensive and intelligible view of risk level and security posture. This is no easy task.
Measuring and communicating risk is a top priority for CISOs in the Nordic region and the broader Evanta CISO community. In a recent Town Hall, CISOs in the Nordic region came together to discuss how a data-driven approach to risk management can enable CISOs to better communicate cyber threats to non-security functions of the business.
Leading this session, Erik Blomberg, CSO, Handelsbanken, Stefan Jäschke, SVP & Head of Enterprise IT Security, Volvo Group, Petri Ala-Annala, CISO, Nobia and Maciej Wlodarczyk, Information Security Officer, Sanoma Media Finland discussed strategies on how to effectively communicate the value of cybersecurity for non-IT-focused teams, to help foster a mature, resilient cyber risk posture.
Defining Risk Management in Terms of Business Objectives
One of the key points raised is the importance of clearly defining risk in accordance with broader business objectives. By placing risk in its appropriate business context, CISOs are able to effectively ‘speak the language of the business’ – communicating how resources can and should be allocated to strengthen their cybersecurity framework. However, this presents a significant challenge in itself, requiring a mix of both quantitative and qualitative risk assessment.
Leadership teams typically consist of a myriad of personalities – each with distinct learning styles and varying degrees of familiarity with technical areas such as cybersecurity. As such, presenting risk data in both qualitative and quantitative forms can account for these differing expectations on how to approach problems, enabling essential information to be articulated in a palatable, interpretable way for all board members.
Crucially, qualitative risk assessments need to stand on the shoulders of quantitative ones. This empowers CISOs to open up a dialogue with broader functions of the business and elevate cybersecurity concerns to the top of the board’s priorities.
Overall, cyber risk data functions as a communication tool for the CISO to influence the board’s decision-making and priorities. CISOs must translate risk into a business need, which then acts as a gateway for company-wide decision-making. By implementing a combination of qualitative and quantitative data, CISOs can identify a priority risk and outline the best decision to be made and the timeframe in which to make it.
Reporting with High Quality Data & Analytics
While it is essential for CISOs to frame cyber risk data in accordance with broader business objectives, it is equally important to source good-quality data in the first place. This also presents a significant challenge for CISOs, who measure and communicate risk by utilising the risk data that is available.
As such, any limitations on the availability of this data can impede the CISO’s ability to effectively and convincingly communicate risk to the board. One step to overcome this challenge is to implement data quality programmes and stricter data governance policies. Moreover, CISOs must ensure that data teams across their organisations understand why this data is so valuable in influencing company-wide decisionmaking.
Across all these initiatives, CISOs should keep in mind that ultimately ‘security comes first’, where data is foundational to a threat-based approach to risk management.
Explore more key topics like translating insight into action by joining a community of like-minded peers. Members of our communities come together several times a year to connect, exchange ideas and experiences, and validate strategies and solutions. You can share your perspective with the community via our in-person and virtual gatherings such as our Executive Summits, Town Halls, Peer Roundtables, and also through content pieces like this.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.