Technology risk is straightforward, and well-understood. Cyber risk is elusive, confounding, and NOT well-understood. I could end my blog here, but I’ll add a bit more context.
Technology risks tend to be easy to get our minds around. These are relatively easy to identify and are typically immediately apparent when the risk is manifested as realities such as; power fluctuations, failed computer components, data loss, systems not scaling during periods of peak usage, software patches that break something else, coffee maker timer set to pm not am (user error). In many instances, you can see and point to technology risks.
Cyber risks defy description. Identifying cyber risks is more complex than a chess game with many more permutations. And unlike almost every other risk that a business faces, cyber risk involves a bad guy who behaves erratically and is determined to harm your business. These and other factors make managing cyber risks especially challenging.
More and more organizations are implementing processes to identify and address cyber risks. However, few have taken the next step toward quantifying their financial exposure as a result of those identified risks. Who can blame them? It can be very difficult to get your mind around the financial impact of a data breach or a crypto worm rendering a large swath of your corporate data useless.
There are many potential loss types, or exposures resulting from cyber risks; revenue, reputation, fines, cost of recovery, system downtime, legal fees, identify protection services, lost productivity, and contractual obligations are just a few. Each loss type has its own immediate and long term financial impacts to an organization. This spider web of factors very quickly compounds the challenge of quantifying the financials of cyber risks. Where do you start? How do you tie cyber posture to risk of financial loss? And how do you decide how to address cyber risks that create financial exposures?
We have choices on how to deal with the risks we identify. Anyone familiar with the discipline of risk management is familiar with these:
-We can accept a risk and do nothing. This is a calculated decision that the probability of occurrence and the potential loss do not warrant action.
-We can insure against it. This is a backstop to the potential loss, transferring a portion of the financial impact to another party.
-We can transfer a risk to another entity. If an organization is savvy enough to assign risk ownership, this is a strong option to place risk where it can best addressed, resourced, etc.
-We can mitigate a risk. Take steps to make the occurrence of the risk as painless as possible, or avoid it altogether.
All of these options are available to the teams facing cyber risks, too. However, the answer to which option is best is hidden beneath a mountain of complex calculations. This is where I get to tee up Nehemiah Security’s RQ platform. Our solution can help companies decide how to address cyber risks in your organization by mapping cyber posture to possible loss outcomes. It can help you prioritize mitigations by showing what business processes and supporting applications are at greatest financial risk. Or maybe you need a quantifiable basis for cyber insurance.
And the icing on the cake? Products like RQ can help communicate cyber risk exposure to executives and board in their native tongue – the language of dollars.