Cyber risk quantification – speaking the board’s language
One of the biggest issues that CISOs face today is being unable to calculate the value of security in a way that translates to the board members. The way security professionals measure the effectiveness of their activity may not be enough to convince the board, simply because all departments speak their own language when it comes to their individual fields of work. Often for CISOs, the true value of security is revealed when a breach occurs, by which time the board may see this as a failure of security. With cybercrime expected to cost the world a shocking $10.5 trillion annually by 2025 according to a report by Cybersecurity Ventures, security teams desperately need a solution.
Armed with comprehensive cyber risk quantification, CISOs finally have a way to coherently deliver the value of different cybersecurity practices to members of the board in a language everyone speaks – financial impact of a data breach.
How is the threat landscape evolving?
Businesses around the world are embracing digital technology at a rapid pace, and the technology being deployed is all about speed. From artificial intelligence (AI) to Software-as-a-Service (SaaS), organisations are committed to finding solutions that fundamentally speed up the way teams manage, retain and attract new customers, removing human latency out of the processes.
In addition to the fast-paced change happening within the industry, the general infrastructure of business networks is becoming far more complex, with countless ways in and out of the system. While there are definite benefits to this development, it also brings with it a whole host of new security challenges. Attackers are forever toying with company infrastructure, stealing sensitive data and targeting partner businesses. In fact, the number of data breaches in 2021 has already surpassed the previous year.
As the landscape continues to evolve, previous practices become things of the past, and all of these changes contribute to the challenge of translating everything for the board. For example, where the cyber team was previously solely responsible for securing an organisation, this has now become a much broader task. Instead, the company must enable the cyber team to champion a safer digital climate for the business, but establishing employee stakeholders so that everyone becomes responsible for security.
Additionally, some organisations have fallen into the trap of adding new products every time a new vulnerability is discovered which has led to a product pile up. Small businesses could end up with 20 different security tools, and large companies could have in excess of 130, which has created a data explosion. While data is imperative to a strong cybersecurity posture, too much of it can make it difficult to manage and apply to mechanisms of the business.
So, this is often where security teams find themselves, juggling siloed security products and drowning in data, all while trying to present the board with a coherent strategy in a way everyone understands.
Cyber risk quantification: A change in mindset
Cyber risk quantification is a mindset, a commitment to move away from a siloed approach and towards a business-wide strategy that is accessible to everyone. This model uses several data points to inform the result, including people, technology, third parties, products, and policies and procedures. By performing in-depth analysis into all of these points, teams will be provided with a breach likelihood figure that can be converted into a dollar value – the language spoken by all departments. For example, the system will deliver the monetary value in damage inflicted per asset or server in the event of a breach. This figure is scored and contextualised by factors such as geography, industry and size of company, and then married with real-time threat intelligence to give an accurate reflection of the state of the company’s cybersecurity.
Once the business understands the risk, they can review what areas of the network need priority attention. Teams can focus on employees and servers that pose greater risks to the company in the event of a breach – such as those who have a track record of clicking on phishing links. Further, campaigns can be devised to support each area of the business with security, including training organisation, or policy reviews. One of the biggest benefits of cyber risk quantification however, is the ability to apply it to third party companies, which can often be major risks to cybersecurity. New domains can be inputted to the system and any gaps or weaknesses in their security will immediately be identified.
Financial impact of a data breach: Translating cyber risks to the board
Over the years, whenever a new security issue arises, the board gets scare mongered by numbers and more money is thrown at cyber defences – but companies are still getting breached. Research has shown that from 2021 to 2025, the global cybersecurity spending is set to exceed $1.75 trillion. It’s clear that cyber teams need a new tactic, and need to be able to quantify the risk of incoming attacks to convince the board of cybersecurity’s value.
We’ve noticed a lot of organisations are using various methods for rating the level of risk to their business, including red, amber and green ratings. Long gone are the days where this vague rating scale was enough – businesses need to put a quantifying measure against it. There is no point repeating the same tasks over and over if it’s not delivering the desired outcome. It’s time to do something different.
By adopting a cyber risk quantification mindset, security teams can approach the board confidently with the value of cybersecurity, as well as the financial impact, in the event of a breach. Everyone around the board table has their own role, they’re all in charge of different areas of the business, so security teams have to use a language that is understood by all. Cyber risk quantification can offer a measure that aligns with every person sat round that table.