6 Challenges New CISOs Face in Assessing Breach Risk

Rich campagna
May 22, 2020 | 4 min read | Security Posture

boardroomWeek 2 at the new gig as CISO of the hot company you’ve had your eye on for quite some time. No immediate red flags yet. Your team seems awesome, you’re ready to get going as soon as you wake up, and in internal discussions, you’ve noticed that you are now referring to what “we” do rather than what “you” do.

You’re still drinking from the proverbial fire hose, but these are good signs that you’re settling in.

An incoming calendar request informs you that you have just under 2 months until the next board meeting, where you’ll be presenting.


how i actually lookYou haven’t even broken in the trendy half sneaker, half dress shoe Cole Haans you bought in the company colors yet and you already have a very tight timeline for assessing the company’s breach risk and mapping out an infosec strategy.

Ideally, in those next 60 days, you’ll need to formulate and present a cybersecurity operating plan to the board:

  1. Which is aligned with the business
  2. Which you can justify/explain in a data-driven way
  3. Where you can highlight deficiencies and (ideally), demonstrate progress

These may sound like relatively simple tasks, but that is rarely the case. There are many pitfalls you’ll likely encounter along the way.

Here are the 6 Key Challenges New CISOs Face in Assessing Enterprise Breach Risk

  1. It’s difficult to align your plan with business goals due to gaps between the business level view and the inherited IT/cybersecurity level view.
  2. The prior regime likely did not have a good handle on breach risk, telemetry, tools, processes. Even worse, it’s possible that they misled the board on this topic,  or relied on gut feel and incomplete data in board discussions.
  3. You can’t improve what you can’t measure, and nobody even knows how many assets the organization has. Mechanisms for IT asset inventory are not up to date (manual, not real-time/continuous) and incomplete (cloud, mobile, IOT). The incomplete inventory that does exist has no concept of measures important to risk calculations, such as business criticality.
  4. Current approved cybersecurity funding is significantly less than what’s needed, and of the existing controls, it’s impossible to show their impact and effectiveness in reducing overall breach risk.
  5. Difficult to prioritize because there are too many cybersecurity issues and too many different types of issues.
  6. There isn’t a reporting framework that can generate different types of reports appropriate for various scenarios and audiences. The board and exec staff don’t understand technical security concepts, and frequently confuse compliance and security, yet your predecessor seems to have talked mostly about CVSS scores and encryption algorithms.

If any of this sounds familiar, Balbix can help you assess and quantify security posture and breach risk for your board of directors and senior management. Learn more in The Ultimate Guide to Cyber Risk Reporting to Your Board.