fbpx
Menu
Cloud CISO Perspectives: Talk cyber in business terms to win allies

GCP – Cloud CISO Perspectives: Talk cyber in business terms to win allies

,

Welcome to the first Cloud CISO Perspectives for January 2025. We’re starting off the year at the top with boards of directors, and how talking about cybersecurity in business terms can help us better convey the costs and priority and priority of the cybersecurity risks we face.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

–Phil Venables, VP, TI Security & CISO, Google Cloud

aside_block
<ListValue: [StructValue([(‘title’, ‘Get vital board insights with Google Cloud’), (‘body’, <wagtail.rich_text.RichText object at 0x3e10133f3f40>), (‘btn_text’, ‘Visit the hub’), (‘href’, ‘https://cloud.google.com/solutions/security/board-of-directors?utm_source=cloud_sfdc&utm_medium=email&utm_campaign=FY24-Q2-global-PROD941-physicalevent-er-CEG_Boardroom_Summit&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

Use business terms when discussing cybersecurity to gain broader support

By Phil Venables, VP, TI Security & CISO, Google Cloud

There’s little doubt that cyberattacks are a first-class business risk, and that a robust cybersecurity program can be an enabler of business. So when cybersecurity discussions move from the SOC to the C-suite and boardrooms, we should focus on using (and, when necessary, translating) cybersecurity terminology to more commonly-understood business terms.

Phil Venables, VP, TI Security & CISO, Google Cloud

Phil Venables, VP, TI Security & CISO, Google Cloud

Common business terminology can help increase broader cybersecurity awareness, and help drive better cybersecurity policies and practices as a goal of the business. When we discuss the consequences of cyberattacks at the executive and board level in terms of the business impact, we’re making ourselves more understandable to crucial stakeholders — and more likely to find them in agreement with us.

Four broad categories that we can talk about include:

  • Financial losses that can come with recalling products, replacing compromised components, and compensating affected customers can quickly run up to millions of dollars. As a point of reference, security breaches cost an average of $4.88 million each in 2024.
  • Reputational damage from news reports of a breach can erode customer trust and loyalty, and drive a decline in sales while causing long-term damage to your brand.
  • Legal and regulatory fallout can upend budgets as your organization faces potential customer lawsuits and regulatory penalties.
  • Operational disruption often diverts resources and also impacts business continuity, which can strain relationships with partners and delay production.

Placing cyber risk in business context

Cyberattacks can directly disrupt critical services, compromise sensitive data, damage brand reputation, and erode customer trust, ultimately impacting revenue streams and shareholder value. To effectively manage cybersecurity risk and embed it into the business culture, we recommend that organizations take three key steps.

  1. Quantify cyber risk by developing clear methods to assess the financial impact of potential cyber threats. When your organization’s leadership can translate technical jargon into business consequences, they can help decision makers understand the overall cyber risk exposure in financial terms.
  2. Frame cybersecurity in business terms to better communicate cybersecurity risks. This can mean focusing on their potential impact on an organization’s strategic objectives and priorities. Instead of technical metrics, use narratives that highlight how these threats could affect revenue and operations.
  3. Deliver business benefits with security so that when you put in place controls to mitigate risk, you are also delivering adjacent benefits. Risk modeling, cost-benefit analyses, and tracking performance metrics aligned with business goals can help build strong security and business returns.

When conducting risk assessments, for example, evaluate the controls that sustain the current risk level and assess them for replacement, consolidation, or improvements that can deliver adjacent benefits. You might not always be successful but the mere act of trying will enhance relationships with the wider organization.

Putting this into action

Boards of directors should discuss the following four topics with their chief information officer or chief technology officer, and their chief information security officer, as well as the business:

  • Clearly define business-critical services, document their dependencies, including third party providers, and identify potential vulnerabilities.
  • Prioritize resilience so that cybersecurity measures can protect against threats and enhance the resilience of critical services. Advocate for investments in redundancy, disaster recovery planning, and incident response capabilities.
  • Integrate security into all business processes by encouraging active participation from all departments, ensuring security becomes an integral part of the organization’s DNA — not an afterthought.
  • Build a resilient workforce by offering competitive compensation and benefits, providing professional development opportunities, and fostering a positive work environment to skilled cybersecurity professionals. Investments in comprehensive training and mentorship programs to cultivate cybersecurity and risk management skills throughout the organization can also help you attract, develop, and retain talent.

A collaborative approach, with a focus on aligning cybersecurity with critical business services, can strengthen your organization’s security posture, protect its critical assets, and enhance its resilience against the ever-evolving cyber threat landscape.

Sections of this article appeared first in the sixth edition of our Perspectives on Security for the Board report, which also covered supply-chain threats and information sharing best practices. You can read the full report here.

aside_block
<ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x3e10133f3d30>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

  • Get ready for a unique, immersive security experience at Next ‘25: Here’s why Google Cloud Next is shaping up to be a must-attend event for security experts and the security-curious alike. Read more.
  • How Google makes threat detection high-quality, scalable, and modern: Get an inside look at Google’s approach to modern threat detection and response, part of our new “How Google Does It” series. Read more.
  • How to make the cloud an engine for manufacturing success: In spite of challenges and threats facing the manufacturing sector, we see significant cause for optimism. Here’s why.
  • The EU’s DORA has arrived. Google Cloud is ready to help: As DORA takes effect, financial entities in the EU must rise to a new level of operational resilience in the face of digital threats. Here’s how Google Cloud can help. Read more.
  • Start using our tokenization tools to protect sensitive data: Google Cloud has tokenization built in. Here’s why you should use it for sensitive data protection. Read more.

Please visit the Google Cloud blog for more security stories published this month.

aside_block
<ListValue: [StructValue([(‘title’, ‘Fact of the month’), (‘body’, <wagtail.rich_text.RichText object at 0x3e10133f38e0>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://cloud.google.com/blog/products/identity-security/cloud-ciso-perspectives-the-high-security-cost-of-legacy-tech’), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

Threat Intelligence news

  • Use Backscatter for automated malware configuration extraction: Backscatter is a tool developed by the Mandiant FLARE team that can automatically extract malware configurations. Read more.
  • How to fix single-page vulnerable applications: Single-page applications (SPAs) often have multiple access control vulnerabilities. By implementing a robust access control policy on supporting APIs, the risks associated with client-side rendering can be largely mitigated. Here’s how. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Google Cloud Security and Mandiant podcasts

  • Ransomware’s rising stakes in the cloud: What specific challenges and considerations arise when dealing with ransomware in cloud environments, and how can organizations adapt their security strategies to mitigate these risks? Allan Liska, ransomware sommelier and threat intelligence analyst, Recorded Future, joins hosts Anton Chuvakin and Seth Rosenblatt to discuss the evolving, challenging ransomware landscape. Listen here.
  • Cybersecurity Forecast 2025: Less hype, more real: What’s coming this year in cybersecurity? How realistic are AI threats? Which legitimate threats are being obfuscated by hype? Andrew Kopcienski, principal intelligence analyst, Google Threat Intelligence Group, helps Anton clear up his crystal ball. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back again in January with more security-related updates from Google Cloud.

Read More for the details.

Related Posts