The days when a security team could implement a new security technology and then sit back, put their feet on their desks and consider themselves secure are long gone. Today, companies are coming to grips with the fact that they’re never 100% secure. The question today is how much risk a company is willing to accept.
Many CISOs, however, think that quantifying cyber security risk is too difficult, too ambiguous, too elusive. And with today’s traditional methods of risk assessment, they’re right.
That’s why when a CISO approaches management with a budget request for a new technology or security initiative, it’s a meeting between people speaking two different languages. The CFO and CEO think in terms of monetary amounts – business value and ROI. Without those numbers to refer to, the CISO must somehow convince top management that the investment is necessary. The CISO resorts to the only argument the executives will respond to: Fear. “If we don’t do this, the sky’s gonna fall.”
After all, no company wants to be the next news headline.
But at the end of the day, how does a company know if its security investments are effectively reducing or eliminating risks to the degree that its executives hope or imagine they are? The expensive employee training program, the event monitoring system, replacing security software across the organization? How does an organization know if it’s investing in the right places, or if it has purchased the proper level of insurance to adequately cover them in the event of a data breach, ransomware incident or DDoS attack?
And how does the CISO show top management how important these investments are to the company, without resorting to FUD to get the message across?
The answer lies in being able to quantify the impact of a cyber breach to your company, the very practice CISOs often shy away from. It’s true that using ambiguous rating systems or red, green, and yellow risk colors doesn’t give much to go on.
“Most managers rely on qualitative guidance from ‘heat maps’ that describe their vulnerability as ‘low’ or ‘high’ based on vague estimates that lump together frequent small losses and rare large losses,” write Chacko, Sekeris and Herbolzheimer in the Harvard Business Review. “But this approach doesn’t help managers understand if they have a $10 million problem or a $100 million one, let alone whether they should invest in malware defenses or email protection. As a result, companies continue to misjudge which cybersecurity capabilities they should prioritize and often obtain insufficient cybersecurity insurance protection.”
It’s possible to put real numbers to your cyber risk assessments. It’s possible to speak in a language the board room will understand.
“Implementing this technology will cost $100,000, but it will reduce our risk by $2 million.” “We can reduce our cyber insurance coverage by $50 million, and here’s why.” These are statements CISOs and CFOs can make and confidently back up with the help of new ways of measuring and quantifying cyber risks. F-Secure’s method is called Cyber Breach Impact Quantification (CBIQ), and it predicts how much a cyber incident will cost an organization. It also shows how much companies will reduce their risk by implementing a specific security control.
Marko Buuri, Principal Risk Management Consultant at F-Secure, explains the basic idea behind CBIQ in the video below. Marko has also laid out an example of quantifying cyber breach impact using the CBIQ method – check it out here.
Buuri says that quantifying breach impact using real monetary amounts diminishes or altogether eliminates the cognitive biases that so often stand in the way when making decisions based on ambiguous color coded heat maps. Using real numbers that are defendable and transparent paves the way for better communication between all parties. No more arguing over whether to implement a certain technology – just run the numbers and let them speak for themselves.
Or, in Buuri’s words, “Why settle for guesstimates when you can produce a defendable view of the risk?”
Visit our website to learn more about our approach towards risk management – you can also download an infographic on the benefits of the CBIQ method compared to traditional risk quantification tools.