Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Cyber Risk = Business Risk. Time for the Business-Aligned CISO

Data breaches, ransomware and other cyber attacks causing massive reputation issues (Equifax), knocking down merger prices (Yahoo!) or interrupting operations on a global scale (the NotPetya virus victims), have elevated cybersecurity concerns from the server room to the boardroom.

Data breaches, ransomware and other cyber attacks causing massive reputation issues (Equifax), knocking down merger prices (Yahoo!) or interrupting operations on a global scale (the NotPetya virus victims), have elevated cybersecurity concerns from the server room to the boardroom. To heighten these apprehensions more, regulators have also made it clear they’ll be looking hard at corporate disclosure of cyber incidents like the U.S. Securities and Exchange Commission (SEC), and protection of personal data like the EU’s GDPR – and they’re just getting started. Cyber risk now equals risk to the whole business.

This is now a great opportunity for CISOs and other cybersecurity professionals to graduate to board and C-level discussions and score the level of resources and support they’ve wanted for a while. It’s also a challenge that many infosec pros won’t be prepared for. Now that you’ve got the attention of business top brass, can you connect with them? Can you be a business-aligned CISO?

Let’s take a quick look at the view from the C-suite and the boardroom. Two key points to know about that atmosphere:

1. Cyber risk is just another cost of doing business — and they are watching many of them. Cybersecurity is not a special skunkworks. Sure, it’s a field that requires plenty of technical expertise but so do operations, finance, and other business units.

2. They are used to seeing risk presented as “loss exposure” in dollars. Whether it’s market risk, credit risk or other components of enterprise risk management, other business units can answer questions about probable losses as a range of dollar amounts. Against those numbers, decision makers can set a “risk appetite”, a level of exposure to loss that guides responses, such as investing in more controls, buying insurance, living with it, etc.

Now let’s focus on the info-security team, where the viewpoint probably looks quite different. In fact, it’s often an IT-centric not a business-aligned viewpoint. Cybersecurity risk reporting may be done through maturity ratings: where comparisons to IT industry checklists of best practices – with the assumption that more boxes checked must mean less risk, or comparisons to what others in the IT industry spend on security – with the assumption that more money spent must mean less risk. Some risk ratings may even be based on the gut feelings of the info-risk team – often labeled as “medium” (the safe way out) or even in counts of patches, vulnerabilities or other terms that those outside of IT don’t understand.

None of these ratings are effective communication tools to senior management or the board because they don’t talk about risk in the same way the rest of the business understands risk. Some cybersecurity experts still say it’s impossible to quantify cyber risk in financial terms. But that attitude is fading. Recently, the global analyst firm Gartner named risk quantification as one of its five must-haves to run an integrated cyber risk management program.

One way to measure and quantify risk is by using the standard Factor Analysis of Information Risk (FAIR) Model, which assesses information risk in financial terms. It’s an effective method for gathering data about cybersecurity events from company and industry sources, for associating dollar values for different forms of loss, and for running the data through Monte Carlo simulation engines to generate loss exposure values (risk) in financial terms.

Advertisement. Scroll to continue reading.

According to FAIR, risk is the probable magnitude and probable frequency of future loss. Both sides of the equation are important. High magnitude with low frequency can be a low risk; high frequency with low magnitude can add up to high risk.

As you’ll see in the FAIR standard risk concepts, there are a couple of first steps to take when aligning the business with cyber risk in loss exposure terms:

Understand where and how the business makes the most money or creates the most value—and by extension, where the most financial impact would fall in the event of a cyber attack (or in traditional IT terms, the C-I-A triad: confidentiality, integrity, availability). The disruption of ecommerce, the theft of plans, designs or other intellectual property, a breach of confidential customer information from a database – these would lead to loss of sales, loss of market share, legal costs, labor costs, etc., that are quantifiable, in fact, just by asking around in your finance, HR, legal or operational units, perhaps augmented with industry reports.

Understand the types and frequency of likely cyber events that cause a loss. Your security ops center (SOC) or department that logs your cyber failures will be your door to where and when these cyberattacks historically took place. This, combined with a threat intelligence vendor and industry reports, such as the Verizon Data Breach Investigations Report, will provide an idea of future cyber attacks for your business.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...