Connect with us

Hi, what are you looking for?


Cyber Insurance

Cyber Risk = Business Risk. Time for the Business-Aligned CISO

Data breaches, ransomware and other cyber attacks causing massive reputation issues (Equifax), knocking down merger prices (Yahoo!) or interrupting operations on a global scale (the NotPetya virus victims), have elevated cybersecurity concerns from the server room to the boardroom.

Data breaches, ransomware and other cyber attacks causing massive reputation issues (Equifax), knocking down merger prices (Yahoo!) or interrupting operations on a global scale (the NotPetya virus victims), have elevated cybersecurity concerns from the server room to the boardroom. To heighten these apprehensions more, regulators have also made it clear they’ll be looking hard at corporate disclosure of cyber incidents like the U.S. Securities and Exchange Commission (SEC), and protection of personal data like the EU’s GDPR – and they’re just getting started. Cyber risk now equals risk to the whole business.

This is now a great opportunity for CISOs and other cybersecurity professionals to graduate to board and C-level discussions and score the level of resources and support they’ve wanted for a while. It’s also a challenge that many infosec pros won’t be prepared for. Now that you’ve got the attention of business top brass, can you connect with them? Can you be a business-aligned CISO?

Let’s take a quick look at the view from the C-suite and the boardroom. Two key points to know about that atmosphere:

1. Cyber risk is just another cost of doing business — and they are watching many of them. Cybersecurity is not a special skunkworks. Sure, it’s a field that requires plenty of technical expertise but so do operations, finance, and other business units.

2. They are used to seeing risk presented as “loss exposure” in dollars. Whether it’s market risk, credit risk or other components of enterprise risk management, other business units can answer questions about probable losses as a range of dollar amounts. Against those numbers, decision makers can set a “risk appetite”, a level of exposure to loss that guides responses, such as investing in more controls, buying insurance, living with it, etc.

Now let’s focus on the info-security team, where the viewpoint probably looks quite different. In fact, it’s often an IT-centric not a business-aligned viewpoint. Cybersecurity risk reporting may be done through maturity ratings: where comparisons to IT industry checklists of best practices – with the assumption that more boxes checked must mean less risk, or comparisons to what others in the IT industry spend on security – with the assumption that more money spent must mean less risk. Some risk ratings may even be based on the gut feelings of the info-risk team – often labeled as “medium” (the safe way out) or even in counts of patches, vulnerabilities or other terms that those outside of IT don’t understand.

None of these ratings are effective communication tools to senior management or the board because they don’t talk about risk in the same way the rest of the business understands risk. Some cybersecurity experts still say it’s impossible to quantify cyber risk in financial terms. But that attitude is fading. Recently, the global analyst firm Gartner named risk quantification as one of its five must-haves to run an integrated cyber risk management program.

Advertisement. Scroll to continue reading.

One way to measure and quantify risk is by using the standard Factor Analysis of Information Risk (FAIR) Model, which assesses information risk in financial terms. It’s an effective method for gathering data about cybersecurity events from company and industry sources, for associating dollar values for different forms of loss, and for running the data through Monte Carlo simulation engines to generate loss exposure values (risk) in financial terms.

According to FAIR, risk is the probable magnitude and probable frequency of future loss. Both sides of the equation are important. High magnitude with low frequency can be a low risk; high frequency with low magnitude can add up to high risk.

As you’ll see in the FAIR standard risk concepts, there are a couple of first steps to take when aligning the business with cyber risk in loss exposure terms:

Understand where and how the business makes the most money or creates the most value—and by extension, where the most financial impact would fall in the event of a cyber attack (or in traditional IT terms, the C-I-A triad: confidentiality, integrity, availability). The disruption of ecommerce, the theft of plans, designs or other intellectual property, a breach of confidential customer information from a database – these would lead to loss of sales, loss of market share, legal costs, labor costs, etc., that are quantifiable, in fact, just by asking around in your finance, HR, legal or operational units, perhaps augmented with industry reports.

Understand the types and frequency of likely cyber events that cause a loss. Your security ops center (SOC) or department that logs your cyber failures will be your door to where and when these cyberattacks historically took place. This, combined with a threat intelligence vendor and industry reports, such as the Verizon Data Breach Investigations Report, will provide an idea of future cyber attacks for your business.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.