There was a time once when CISOs could dazzle or dominate every conversation with the board or senior management – they were the high priests of a technology that no one outside the cubicles of the IT group could understand. The inside joke was that all it took was FUD – Fear, Uncertainty and Doubt – to win budget. A heat map with some angry red zones was a good visual aid.
Enter the Standards Compliance era – CISOs had industry-accepted, and even government-approved standards like the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), to justify spend toward a goal of “maturity” — filling out your compliance checklist. More recently, vendors have begun offering CISOs security “scorecards” that count maturity ratings, vulnerabilities, threat issues, patching history, and other indicators to spin up a numerical security rating.
Now, we’ve entered new era. Recently, we’ve seen malware paralyze operations and ding profits at major global companies and data breaches give haircuts to stock valuations. We’ve seen government regulators—the SEC, the New York Department of Finance, and the EU through the General Data Protection Regulation (GDPR)—steadily increasing supervision of cyber activities by private companies, demanding more, and better, disclosure. We’ve seen large companies in every industry facing digital disruption—from autonomous vehicles and the Internet of Things, to Bitcoin– and try to weigh the risks and rewards of adapting.
These are board room and C-suite concerns, and from their vantage point, cyber risk has risen to the level of enterprise risk – which they expect to be measured, managed, and reported in the terms that the rest of the enterprise understands, namely, in financial terms to show the likelihood and potential cost of losses. And that’s a problem for the standard CISO communication toolkit because it doesn’t really communicate business risk. At best, it offers implied risk—if our scorecard number is low we must have more risk, right? And if we spend more on controls to make the numbers increase we must have less risk, right?
Just don’t ask us to tell you how much more or less risk, and certainly not in dollars. And don’t look to us to help you with the tough questions you face, such as:
• How can I disclose to regulators if our cyber risk hits levels that materially impact the finances of the company?
• What’s the return on investment for any major cyber project with a security aspect, like moving operations to the cloud or consolidating and protecting our critical intellectual property?
Hiding behind techno-babble just won’t work anymore. Expectations have changed. Welcome, CISOs, to the era of Cyber Risk Economics.
The good news is that your profile in the organization has jumped up several levels, which is an invitation to up your game, to think more broadly and in business terms about cyber risk and cybersecurity.
Great, but where to start? Consider the standard Factor Analysis of Information Risk (FAIR) Model for Quantitative Risk Analysis.
Despite the name, FAIR is more of a change in thinking about risk rather than another scorecard of numbers. Many infosec teams are using FAIR – First, to identify and define the organization’s true risks as possible loss scenarios driven by cyber events. The questions that need to be answered to describe such a loss event are: What is the asset at risk? What is the threat that we are facing? What is the threat effect? What are the forms of loss that we could incur?
Second, infosec teams use FAIR to measure risk as the probable frequency and probable impact of such loss events, which allows them to communicate risk to the other business stakeholders in a language they understand—dollar amount.
So, a “vulnerability” is not a risk. “Ransomware” is not a risk. “The Cloud” is not a risk. If those sound like the items listed as risks in your risk register, you’re not alone. These are factors that contribute to risk but are not a loss event by themselves. Many teams start implementing FAIR by cleaning up their risk registers and getting everyone focused on the probable events that could cause their organization real loss. They move onto prioritizing those risks and then, with the use of FAIR-powered software, running analyses to see what controls are most effective in reducing risk. When the board or senior management want to understand the implications of a new threat or an audit finding, or the risk associated with a new initiative, like moving a critical application to the cloud, they have the analytical skills and the applications to quickly send back a range of scenarios that make the risk choices clear to the decision makers.
This is a growing movement, and I think it’s the right movement during this era of heightened expectations for CISOs.