Before that cyber incident hits, pull the CFO, CIO and other C-levels into Your Orbit

Supro Ghose is an 18-year veteran CISO with experience across the world of cyber risk management, from incubator startups to Microsoft, now CISO with Graphene Security, a cybersecurity consultancy.
Watch the CISO Confidential podcast now.
In this episode of CISO Confidential Supro sat down with SAFE CEO Saket Modi and jumped right into a worst-case scenario for a banking organization: Awakened at 6:00 AM by a text alert that a critical managed file transfer service had been attacked, knocking out payment processing. Worse, the organization’s core banking service provider had gone down from the same attack.
In 45 minutes, Supro had a plan and a response team in place–and shut down the service, moving to an alternate system for manual processing of payments till a patch was released late that night. “It would have been on the KEV list by the end of the day,” Supro said. “But the end of the day would have been too late.”
Key takeaway: “When you get the intel, you act on the intel” to limit the “blast surface.” Don’t wait for perfect information
How was Supro able to mobilize the response so fast? He had prepared the ground by involving the CIO, CFO and other members of senior leadership with regular communication on the status of cybersecurity. For example, Supro said, he never makes an appearance at a board meeting without vetting his entire presentation with the CFO.
Key takeaway: “Information security is a team sport” – and also one that requires CISOs, CTOs and CIOs to “bring their A-game every day.”
Saket and Supro spoke while attending the FAIR Conference, the leading gathering of advocates and practitioners for quantitative cyber risk management. Supro made the point strongly that risk quantification was now a must-have for any CISO’s team – especially now that many CISOs are required to sign the 10-K reports for public companies.
Beyond the legalities, CISOs need to keep up with the rising expectations of senior leadership that cybersecurity can be justified based on return on investment, like other management disciplines.
Key takeaway: Leadership now “wants to see actual hard data (from CISOs). When we are doing risk management with heat maps, that’s old school. We’ve got to change.”