It’s a new way of thinking about cyber which means you probably have a few questions

But before we get into the FAQ we wanted to tell you the most important lesson to remember is that cybersecurity isn’t a destination; it’s a journey. And the quality of your journey depends on the choices you make. Do all four cylinders of your company—the people, processes, management, and technology—all fire in unison to get you to your destination?

You get to decide how much you want to spend—in both effort and time—with cybersecurity. You can protect your assets at a minimal level for the kind of business you are and the type of data you possess, or at a world-class level, or anywhere in between. Whatever you choose should be a conscious decision based on what’s best for your organization and reasonable as defined by the FTC.

How much does it cost?

You have unlimited cyber risks with limited time and financial resources to manage them.

The price of a twelve-month Managed Program is a flat fee that is determined by the size of your organization. We use annual revenue as a proxy for the level of effort required. Our pricing corresponds to several revenue ranges:

  • Less than $10 million
  • $10-24 million
  • $25-99 million
  • $100-299 million
  • $300 million and above

And, an entire year costs much less than the price of a full-time employee while utilizing a team of Cyber Risk Opportunities experts and proven system.

How long does it take to create our Cyber Risk Mitigation Plan?

The Managed Program consists of three phases conducted over 12 months and is renewed annually. Within the first 30 days we will interview your key stakeholders, determine your top risks, and prioritize those risks based on the highest value to your organization. By day 60, based on the responsiveness of your organization, you will have a finished mitigation plan.

Do you have suggestions on how to persuade my boss that this is a good investment?

You can persuade other executives in a few different ways.

Cyber has become a full-fledged business risk, right up there with risks to sales, order fulfillment, and accounts receivable. A Cyber Risk Managed Program allows you to quickly adopt this approach. And, it’s complementary to the technical cybersecurity work you’re already doing.

Also, forward-thinking organizations see cyber not just as a risk that has a downside, but also as a business opportunity. It can be the basis for a competitive advantage. Just look at how FedEx in Europe closed its doors for many days in 2017 during the NotPetya cyberattack while DHL stayed in business. You can see from the public financial statements released by both companies following the attacks that FedEx lost $300 million (and counting) while DHL saw shipment volumes, revenue, and profit all rise.

Or, you could tell them about the reality of FTC consequences for unreasonable cybersecurity. Some examples include:

  • Government orders, that are released to the public, to correct illegal practices
  • Twenty years of close oversight of the cybersecurity program
  • $40,000 in fines for each new violation

How are you different than other vendors selling cyber risk programs?

Our Managed Program is an executive service, not a technical service because we believe that exceptional cyber security is a competitive advantage that will help you rise above your competitors.

Cyber Risk Opportunities approach to business is from an educational perspective. We believe that cybersecurity is a team sport and so we focus on moving our customer’s culture towards greater respect for cybersecurity.

We have fixed pricing, not hourly. Our Managed Program is designed to support buyers throughout an entire year, rather than provide a “once and done” experience.

Our deliverables, such as the graphic representation of your data, are unique and specifically designed for senior decision makers. You’ll receive the following as a part of the Managed Program

  • CRO Risk Score™
  • CRO Mitigation Plan™
  • CRO Cybersecurity Scorecard™
  • CRO Cybersecurity Sprints™

You’ll receive independent advice throughout the entire process and our business model does not require us to sell you anything else, like software or additional services billed by the hour.

What do you consider reasonable cyber security?

The Federal Trade Commission (FTC) says an organization must practice “reasonable security measures” as compared to an entity of similar size and sophistication given the type, amount, and methods of data collected. Our entire Managed Program is designed to prove your reasonableness.

What is the NIST Cybersecurity Framework?

The FTC established the NIST Cybersecurity Framework as a measurement to determine whether your company is practicing reasonable cybersecurity based on five functions:

  1. How well you identify digital assets and cyber risks
  2. How well you protect your assets against those risks
  3. How well you detect cybersecurity breaches
  4. How well you respond to those breaches
  5. And how well you recover from those breaches

The framework is predicated on the idea that perfect prevention of cyber risks isn’t practical, so you must have the ability to detect, respond, and recover from data breaches built into your cyber risk management game plan.