Cyber Risk = Business Risk. Time for the Business-Aligned CISO

Data breaches, ransomware and other cyber attacks causing massive reputation issues (Equifax), knocking down merger prices (Yahoo!) or interrupting operations on a global scale (the NotPetya virus victims), have elevated cybersecurity concerns from the server room to the boardroom. To heighten these apprehensions more, regulators have also made it clear they’ll be looking hard at corporate disclosure of cyber incidents like the U.S. Securities and Exchange Commission (SEC), and protection of personal data like the EU’s GDPR – and they’re just getting started. Cyber risk now equals risk to the whole business.

This is now a great opportunity for CISOs and other cybersecurity professionals to graduate to board and C-level discussions and score the level of resources and support they’ve wanted for a while. It’s also a challenge that many infosec pros won’t be prepared for. Now that you’ve got the attention of business top brass, can you connect with them? Can you be a business-aligned CISO?

Let’s take a quick look at the view from the C-suite and the boardroom. Two key points to know about that atmosphere:

1. Cyber risk is just another cost of doing business — and they are watching many of them. Cybersecurity is not a special skunkworks. Sure, it’s a field that requires plenty of technical expertise but so do operations, finance, and other business units.

2. They are used to seeing risk presented as “loss exposure” in dollars. Whether it’s market risk, credit risk or other components of enterprise risk management, other business units can answer questions about probable losses as a range of dollar amounts. Against those numbers, decision makers can set a “risk appetite”, a level of exposure to loss that guides responses, such as investing in more controls, buying insurance, living with it, etc.

Now let’s focus on the info-security team, where the viewpoint probably looks quite different. In fact, it’s often an IT-centric not a business-aligned viewpoint. Cybersecurity risk reporting may be done through maturity ratings: where comparisons to IT industry checklists of best practices – with the assumption that more boxes checked must mean less risk, or comparisons to what others in the IT industry spend on security – with the assumption that more money spent must mean less risk. Some risk ratings may even be based on the gut feelings of the info-risk team – often labeled as “medium” (the safe way out) or even in counts of patches, vulnerabilities or other terms that those outside of IT don’t understand.

None of these ratings are effective communication tools to senior management or the board because they don’t talk about risk in the same way the rest of the business understands risk. Some cybersecurity experts still say it’s impossible to quantify cyber risk in financial terms. But that attitude is fading. Recently, the global analyst firm Gartner named risk quantification as one of its five must-haves to run an integrated cyber risk management program.

One way to measure and quantify risk is by using the standard Factor Analysis of Information Risk (FAIR) Model, which assesses information risk in financial terms. It’s an effective method for gathering data about cybersecurity events from company and industry sources, for associating dollar values for different forms of loss, and for running the data through Monte Carlo simulation engines to generate loss exposure values (risk) in financial terms.

According to FAIR, risk is the probable magnitude and probable frequency of future loss. Both sides of the equation are important. High magnitude with low frequency can be a low risk; high frequency with low magnitude can add up to high risk.

As you’ll see in the FAIR standard risk concepts, there are a couple of first steps to take when aligning the business with cyber risk in loss exposure terms:

Understand where and how the business makes the most money or creates the most value—and by extension, where the most financial impact would fall in the event of a cyber attack (or in traditional IT terms, the C-I-A triad: confidentiality, integrity, availability). The disruption of ecommerce, the theft of plans, designs or other intellectual property, a breach of confidential customer information from a database – these would lead to loss of sales, loss of market share, legal costs, labor costs, etc., that are quantifiable, in fact, just by asking around in your finance, HR, legal or operational units, perhaps augmented with industry reports.

Understand the types and frequency of likely cyber events that cause a loss. Your security ops center (SOC) or department that logs your cyber failures will be your door to where and when these cyberattacks historically took place. This, combined with a threat intelligence vendor and industry reports, such as the Verizon Data Breach Investigations Report, will provide an idea of future cyber attacks for your business.