Reporting lines: Could separating from IT help CISOs?
There are different calculations of risk, cost to the business, and protective measures. In IT terms, the chance of a ransomware attack revolves around technical protection and the prevalence of attacks across the board. Bennett has found that discussions with CIOs focus on the high chance of a ransomware attack using a technical frame of reference. “How I try to convey risk to the CFO is the same way I have to convey risk to the board. If you report to a CIO or CTO, you can use buzzwords and acronyms, but with a CFO, you have no leeway,” he tells CSO.
News stories about ransomware underscore the prevalence of these attacks, the ever-present risk of an attack on the organization, and how detrimental it would be in terms of data loss and downtime.
A CFO is more likely to ask how many incidents the organization has had in the last six years that have had an impact, says Bennett. The answer might be none so far, but an attack could happen any moment, as the news stories demonstrate. The risk must be quantified based on potential damage to the organization, rather than historical attack data.
