Chief information security officer: Smile, you are rated!

By Charles d'Aumale
|
What, one more grade or rating? We thought we had finished grades after university, and no! The rating is omnipresent in our lives: during the technical control of a vehicle, when selling a property, or on a bank loan. We are rated everywhere! Well, now the cybersecurity of our organizations is to be rated.

The movement already started in the US and is inescapable. So, cybersecurity professional friends, smile! You've been struggling for years to educate your management and make them understand that your actions are critical to improve the organization's cybersecurity.

It remains difficult to objectively demonstrate that your cybersecurity approach is effective. We come to see you only during a cyber-attack that disrupted business operations of the organization. You are also consulted when the sales director asks you urgently to answer questions about your cybersecurity as part of a call for tenders, or when he needs to access a public social network to buy tickets for a show. Whereas with a rating, comparing it with the average of your industry, the worst, the best, the median, you will be able to demonstrate objectively and value the relevance of your actions and your projects to senior executives which are cybersecurity non-professionals.

It does not matter if your organization does not yet have the best rating, smile anyway, because you will know what aspects you will have to work on to move your organization forward. And, what is important is to show that the cybersecurity effectiveness of the organization is progressing thanks to your actions and your influence. You then enter a virtuous circle where management will be able to see progress and increase cybersecurity budgets.

In addition, comparing cybersecurity within your group, between your subsidiaries, your different business units, allows you to gain visibility and thus opt for calm decision-making. Disseminating the best practices of good units, supporting the underperforming ones, creating a positive dynamic by stimulating your group are also important interests to improve the cybersecurity posture of your organization.

Finally, the rating allows you to better dialogue with other stakeholders in your organization, for example, with the chief risk officer (CRO) and the chief financial officer (CFO), especially when subscribing to a cyber insurance solution. A good rating can be put forward: it is up to you to negotiate a better insurance premium or a lower deductible. If not, you can establish a progress plan and demonstrate your improvements.

All stakeholders in the company have an interest in embracing cybersecurity ratings. Like any rating, the important thing is to make it a tool for management and continuous improvement. It is now time to take the lead!