In this chapter, you will:
• Understand why cyber risk is a business problem
• Recognize the challenges of communicating cyber risk
• See why cyber risk analytics is a business imperative
“If no mistakes have you made, yet losing you are, a different game you should play.” ― Yoda.
It’s a vicious cycle.
Hacker motivations have risen to new levels and now include espionage, disinformation, market manipulation, and infrastructure disruption. To achieve these aims, attackers have continuously upgraded their toolkits and techniques. In self-preservation, security leaders, once again, are asking for more funding. Business leaders are left on the sidelines, wondering if this new round of cyber budget increases will protect their most valuable assets. But they have no real way of knowing. Most organizations are operating blindly with respect to how much they are investing in cybersecurity versus the value they are receiving. As more—and increasingly serious—cyberattacks occur, corporate boards are beginning to doubt the effectiveness of current and proposed cybersecurity strategies.
Weary of ever-increasing security spend, business leaders are closely scrutinizing security budgets. Further, they are challenging the notion that cybersecurity remains solely an IT concern, rather than a function that must be fully embedded in the organization’s risk management framework. It’s time to stop the vicious cycle of cyberattack budget request budget approval repeat.
Cyber Risk Is a Business Problem
Cybersecurity teams have been forced to place a premium on action over strategy. Unrelenting attacks from unpredictable threat actors mix with gaps in the security team’s understanding of the organization’s business priorities to create this
perfect storm of unaccounted-for cyber risk. While security teams are fighting for survival of the organization, corporate leaders are making decisions at the highest level about where to expand, what offices to open, what partners to sign, and what systems to develop without taking cyber into account.
Boards are Asking the Hard Questions
While no business leaders are saying “Do less to protect the organization,” their attention has been drawn to the mounting cyber budget. Increased costs with unprovable ROI and marginal financial accountability have placed cybersecurity leaders in the hot seat for answers. Unclear about the ROI and value of cyber spend to the organization, CEOs and board members are asking the same hard-hitting, intelligent questions they pose to every other leader in the organization. These are Business 101 questions, to be sure,
and yet security leaders are poorly equipped to lead informed discussions with business leaders about managing cyber risk.
Critical Questions Boards Are Asking About Cyber Risk:
• Why are we being asked for more money and resources?
• Are we cost-effectively and efficiently securing our critical business assets?
• Will our budget reduce our exposure to business loss to an acceptable level? What is an acceptable level?
• What is our current cyber risk to the business?
• Are we insured appropriately for the level of cyber risk we face?
• What strategic trade-offs will we need to make to fund security initiatives?
• How should these trade-offs be prioritized?
• Is this spend correctly prioritized in relation to all other business risk?
CISOs are Struggling for Answers
Security leaders continuously strive to help business leaders understand cyber risk. Cyber threats and defense measures often dominate the conversation. These discussions can be reactive and, because of the level of technical language required, they can sound like Latin to the rest of the company. Business leaders are forced to translate these conversations into their own set of priorities, risks, and daily fires that they must manage. Frustrations grow as the language barrier and communication gap widens.
Boards speak the language of business and risk as opposed to cybersecurity and are holding security leaders accountable for doing the same. This is a struggle for most security leaders. It is not a lack of desire or capability that leads to this struggle; rather, it is the challenge inherent in translating technology-related risks into financially based metrics that can be ranked with all the other business issues.
An Example: Cyber Insurance
Organizations that are incapable of accurately calculating cyber risk are susceptible to making poor business decisions. One of the most immediate mistakes could be under- or over-investing in cyber insurance. This is a black box for most organizations. Spending too much obviously draws resources away from other needs. Spending too little can be catastrophic in the event of a cyber breach. Ensuring that insurance is aligned with cyber risk may not keep the company out of the headlines. However, it certainly could avoid an eight- or nine-digit price tag once the dust settles.
Why Cyber Risk Analytics?
To effectively manage their portfolio of risks, business leaders must understand how cyber risk impacts their organization. Too often, however, cyber risk is measured using generalized simulations and Governance, Risk & Compliance (GRC) best practices or standards. This speculative approach weakens the credibility of a cyber risk story, and does not advance the cause for justifying budgetary needs for technology initiatives. The time has come to measure, manage, and communicate cyber risk with verifiable intelligence and from the business perspective. Security professionals, however, aren’t always comfortable talking about the business. The role of cybersecurity often focuses on technology-based needs. How many DDoS events were blocked? How many vulnerabilities do we need to patch today? Security leaders need a way to communicate with business leaders—in very clear terms—the cyber risks of doing business. The answer lies in cyber risk analytics. Cyber risk analytics provides a data-driven methodology to connect the dots between business applications, IT exposures, vulnerabilities in technical assets, and known-attacker scenarios to quantitatively measure security risk and potential losses in financial terms.
Speaking in the Business Language
Historically, cybersecurity leaders have had little visibility into business structure, motivations, and initiatives. Considering that cybersecurity is rooted in technology, shifting to “speaking business cyber risk” is almost like learning a foreign
language. This communication gap alone has been enough to keep cybersecurity leaders on the outside looking in at the business. A holistic picture of cyber risk, supported by financially quantified metrics that can be linked to areas of business impact, empowers security leaders to become business enablers. They can move beyond unprovable ROI budget justifications, speak the language of business, and become trusted advisors who help companies define their risk appetite and identify ways to mitigate risk that are understandable to business leaders. Lacking financially quantified cyber risks, business leaders and security teams cannot hold productive conversations about security. It is only when cyber risk and its impact to the business are analyzed and this clear communication occurs that business leaders can make informed and intelligent decisions regarding cyber risk and prioritize security investments.
Want to read the rest of the chapters? Download our full Definitive Guide to Cyber Risk Analytics today!