The proposed cybersecurity guidelines  by the U.S. Securities and Exchange Commission (as we covered in our most recent webinar series Preparing for the SEC Cybersecurity Guidelines), promises to place greater responsibility on C-suites and Boards of publicly traded companies by standardizing disclosures related to cybersecurity risk management. Even before the new SEC proposed guidelines, as a CISO, one of your priorities is to determine how to reduce risk to the business. In fact, the vast majority of Boards of Directors—88% according to a 2022 Gartner survey—view cybersecurity as a business risk.

One challenge is that risk management solutions often provide broadly scoped frameworks designed to encompass a range of risks beyond security: enterprise, operational, environmental, etc. The solutions offer flexibility, but it comes at the expense of tactical, practical guidance and content to provide immediate value. In order to provide value, security teams must already know what their top risks are. These approaches quickly become complex and challenging to assess, lacking transparency or attributable return on value. And if isolated from maturity and gap assessments, can make it challenging to translate into specific actions to address the risks.

Instead of running them through a collection of data gathered from various spreadsheets and other sources, CISOs simply want to know how the program affects the business.

The most common questions CISOs are asked to address are:

1. What’s my biggest risk?
2. How well are we doing in mitigating the risk?
3. What do we need to do to mitigate risks better?

To help CISOs measure, mitigate and communicate their cyber risks, Blue Lava has introduced a new Risk Dashboard and toolset within its Security Program Management (SPM) platform.

The Risk Overview gives you a centralized view and summary of all the risks in your risk catalog.

Behind this high-level view is a pre-built catalog of risks mapped to the open VERIS Framework – the same framework used in the Verizon Data Breach Investigations Report (DBIR). By taking this well-known framework and mapping it to the Blue Lava Capability Maturity Model (CMM), Blue Lava makes it simple and easy to translate the results of your maturity assessment, without needing to be a risk expert. Blue Lava prioritizes risks according to impact and likelihood, and maps these to assessment findings. CISOs can now plan security projects in alignment with risk, manage resource allocation, and track remediation over time.

The Risk Details page allows the user to combine Blue Lava data about risk and augment it with  additional factors of what’s driving both inherent risk and residual risk to build the complete narrative. This functionality gives you the ability to provide additional information affecting residual risk (for example, an insurance policy) that may not necessarily be captured by the security assessment but gives a more accurate reflection or narrative. You can also see the resulting control effectiveness—the measurement of how well you are covered or mitigated against this risk based on the requirements you have met in your assessment. Users can designate who’s responsible for that risk within their organization and the unique business objectives it impacts.

Risk Management goes beyond simply understanding how protected you are against risks based on an assessment. With Blue Lava, you can factor in the inherent likelihood and impact of a particular risk by drilling down into each risk, reviewing details and inputting inherent risk values.

By double-clicking further into findings, you can build projects tied back to risk to translate assessments into action.  In contrast to current risk management tools that offer blank templates, Blue Lava provides content, prescriptive guidance, and recommendations on how to mitigate common security risks. This ability to view findings and plan projects based off of risk is key to building a risk-based program you can communicate to the Board.

By communicating in the language of business risk, Blue Lava, built with, by and for CISOs, is elevating the business conversation from compliance-driven and reactionary initiatives to a true security program management strategy discussion.

For more information about Blue Lava’s products and services related to building a risk-based approach to security program management, please visit us at bluelava.io/solutions.