I would love to be a fly on the wall in the board room when they talk about Cyber risk. How do CIOs and CISOs make the case for the investment they need? In this fascinating WSJ interview with Andy Bryant, chairman of Intel, he shares his experiences of how he thinks it should be done. He advises being clear and precise about of the scale of the threat, the implication to the business and the investment choices, inexpensive and expensive, that the board can make. He argues that this is a better and ultimately more realistic conversation than a straight budget pitch. As we have seen, even in the big banks, no-one can spend enough to guarantee they will never be breached and it is now more about who can spend most wisely.
“OK, if I give you X dollars, then we won’t be breached?” No sensible CIO is ever going to say, “Well, yeah, we still will be.” Help me understand again what the problem is. But you started by trying to blackmail me. Don’t do that. You’ve made it a budget pitch. Don’t do that. Come in to me and say, “Look. First, I’m going to educate you. Here is what we do. Here are the problems we’re solving. Here are some things we’re worried about. Here’s the magnitude of those. And by the way, yeah, we’re going to eventually be breached. However, there are some inexpensive things we can do to help and some expensive things. Let’s talk about those.”