Eli Migdal, co-founder of Boardish, recently visited the CyberTech 2020 conference and took part in a sponsored interview opportunity with none other than the legendary veteran tech journalist David Spark, founder of Spark Media Solutions, a content marketing agency for tech and security companies.
David is the producer of the CISO/Security Vendor Relationship Series that speaks to the minds and hearts of everyone in the security ecosystem.
In his series, he regularly discusses the newest insights in the field of cybersecurity, particularly the relations between those who are buying and selling cybersecurity solutions, so he has real insight into the communication issues between the board and CISOs.
During the interview, David and Eli discussed the core of the issue in the cybersecurity world: slow decision-making.
David was visibly enthusiastic about Eli’s project, explaining that some of the best engagement he got on his Defense in Depth podcast was when they discussed communication and presentation in front of the board.
Eli explained that the nature of this issue isn’t technical – there are plenty of vendors offering excellent solutions to cybersecurity issues. The problem lies in how long it takes the board to approve a proposed solution, and this boils down to a communication gap between board members and CISOs.
“The board doesn’t work well with the risk score approach,” Eli argues, explaining that risk scores don’t come naturally to them. David echoes his argument by saying the board can’t really say much after security risk is explained in terms like low, medium, or high. They go on to discussing how to translate these into language the board understands.
For the board to be able to work with threats, these threats need to be quantified into specific financial figures, and CISOs need a solution that helps them do this quickly.
Right now, CISOs have a wealth of information on cybersecurity issues the get from numerous data sources, but these still need to be quantified into the right metrics before presented to the board.
Data breach, the solution, mitigation – everything must be put into specific financial figures. Where there is a threat, it will be displayed in financial figures – $50 million, for example – followed by a mitigation strategy displayed in the same manner. The mitigation can lower the threat by 50%, or $25 million. Finally, there’s also the cost of the solution that helps mitigate the issue, which is $1 million.
So, by investing $1 million, the company will save $25 million.
“This makes it so much simpler for the board to actually do very quick decisions,” explains Eli.
The main reason to speed up decision making is to be quicker than the bad guys. Hackers don’t have to deal with a proof of concept or getting agreements for their method of attack, but companies don’t have that luxury.
Quick decision-making is crucial to stay one step ahead.
Eli’s Boardish is the solution that helps bridge this gap between decision-makers and CISOs. It translates cybersecurity risk from risk score to financial figures.
With Boardish, the board immediately sees the numbers on threats, exposure, and mitigation, so they can make a quick decision on which solution or solution package will be best.
The information displayed by Boardish relies on a unique and orgiainal methodology of quantifying cyber risks. The methodology was extensively tested, tweaked, and sent to numerous external companies for validation while Boardish was still in development.
With Boardish, CISO’s can be confident in the numbers they get from the tool, and it’s easy to do a proof of concept before bringing the tool to board meetings. To check how accurate Boardish truly is, CISOs can simply put in historical data for an issue that was already resolved and then compare results they get from Boardish to actual results.
CISOs who are already using Boardish report that the decision-making process has shortened drastically and that it takes only 50% of the usual time for the board to come to a decision.
With so many vendors and solutions already solving the technical side of cybersecurity issues, Boardish focuses on the business and language element – it acts as a translator between what the CISO and board are saying. When they speak the same language, decision-making becomes quicker.
With Boardish, CISO’s finally have a way to address the language barrier issue with the board and can present threats and solutions in financial figures, the language the board understands.