As a CISO, you need to talk to your board members in their language. Here are 2 hacks to do that: Speak in terms of financial cyber risk quantification. Don’t tell them, “I deployed the Prolexic solution to mitigate DDoS attack on 121.1.2.3/24 network.” That won’t make an impact on them. Tell them, “I'm going to save potentially up to $5 million in an outage by spending $200,000 on a device to mitigate ransomware attacks.” Compare your organization with competitors.

Improving your organization’s cybersecurity posture increases trust with your clients and partners, and enables faster business growth. In times of economic uncertainty when budgets tighten, it’s critical to make that connection. In this video series, SecurityScorecard Co-Founder and Chief Operating Officer Sam Kassoumeh shares tips from our ebook, 5 Ways to Secure Your Organization in Turbulent Times, on how security teams can reduce risk by over 85% while ensuring that security investments deliver tangible value.

What you can’t measure, you can’t improve. In cybersecurity, nothing like this existed until SecurityScorecard came along. We introduced a set of objective KPIs that are trustworthy, accurate, and could be used to compare companies to each other. We do this by assembling hundreds of different signals across different categories of risk, such as application security, network security, endpoint security, leaked credentials, and shared records.

Darwin said it's not the strongest or the smartest that survive and thrive, but the quickest to adapt to change. Speed is everything if you want to run a company successfully. To do that, you need to build a culture of operating with urgency. That doesn’t mean you run frazzled or do a million things simultaneously. Nor does it mean being too flexible and nice when dependent teams tell you, “Go wait.”

At Amazon, Jeff Bezos was famous for having an empty chair in the meeting room that represented the customer. I admire him for that because as the organization grows, it's easy to have meetings that are so focused on metrics, KPIs, internal execution, etc. that you lose sight of the customer. Here’s how we practice being customer-obsessed at SecurityScorecard: We make sure that we start every meeting by sharing customer insights, such as.

Over $800,000 - that’s the cost of the average ransomware payout last year. 66% of mid-sized organizations and about 37% of global organizations got hit. (Sources cited below) Attackers have developed new techniques that a lot of companies aren’t aware of or prepared for. For example, the demand for ransomware as a service has hugely increased, resulting in many more organizations being hacked every day.

"I understand the pitfalls of cyber security, but my boss just won't support me with the budget I need.” Does this sound familiar to you as a CISO? I have 3 pieces of advice for you: Speak their language I like to say that CISOs are from Mars, while CEOs and board members are from Venus. It’s because they don't speak the same language. You might go to your board and say, “I installed Akamai Prolexic.1.4.4.3.1./24 subnet to mitigate an SYN flood attack.”

Here are 3 tips for founders and CEOs to have a work-life balance: As a founder/CEO, there are always 500 more things you could do at the end of the day, the next day, and the day thereafter. So you’ve to ask questions like:“What can I do that will deliver 10x results?”“What can I do to move the needle the most?”“What areas will the results be the same unless I get involved?” Before each day starts, I ask myself, “What are the top few things I need to accomplish?”

Here’s why you should check a company’s overall cyber security health before acquiring it: You could be doing a great job protecting your company. But then, if you merge with a business with holes and attackers are already inside it, their problem becomes your problem. So you need to build a rigorous methodology and a playbook to assess the security of your target during the M&A diligence. Here’s how you can do it.

Vulnerability scans test for different misconfigurations and report the vulnerabilities. But they have 2 big drawbacks: You need to get consent from a company before you do a vulnerability scan on them. You may get a very rigorous readout from a vulnerability scan. But then a sleep-deprived IT administrator misconfigured the system, making your report irrelevant. On the other hand, security ratings don’t need anybody’s consent and provide continuous, real-time monitoring.