August 19, 2022
Recently, I was part of four conversations with security leaders across several industries – manufacturing, financial services, natural resources and healthcare – about some of the challenges they face with cyber risk management. All of them are looking for new approaches due to changes in expectations from their boards, senior executives and other stakeholders.
A few years ago CISOs were expected to have a complete picture of cyber risk for their organizations “in their heads”. CEOs, CFOs and boards would trust their CISOs to readily explain their organizations’ exposure to cyber risk with confidence, and have detailed knowledge of the actions needed to manage cyber risk. Fast forward to today, the digital attack surface has exploded and the “seat-of-the-CISO’s pants” method of cyber risk management does not work. While it is massively difficult to discover all vulnerabilities, it is even harder to quantify and communicate cyber risk. . As a result, cyber risk reports presented to boards and senior executives tend to:
It makes good cyber risk management impossible, leads to poor cybersecurity decisions, while leaving organizations open to attack and expensive breaches.
How can CISOs deliver on their senior leadership’s expectations in 2022?
Cyber Risk Quantification (CRQ) is increasingly seen as a way forward. Simply put, CRQ is a data-driven approach to quantifying an organization’s cybersecurity posture in dollar terms. Lets deep drive into 3 main reasons on why CISOs are prioritizing CRQ:
All of the security leaders we spoke to see a growing need to objectively communicate their cyber risk posture in terms of dollars to the board and the leadership team. Quantifying risk in monetary terms allows security leaders to communicate the cyber risk facing the organization and enables them to demonstrate improvements over time. This was true in our conversation with a major finance organization, where the CISO clarified their main goal is to effectively communicate the cost of cyber-risk to their C-suite. The prime drivers for doing so included:
A security leader from a healthcare major organization was more explicit, stating that his organization needs a CRQ tool to help justify budget requests to the board members. He is feeling pain because his existing board level dashboard is only partially automated and is thus prone to human error. “I struggle to put a number on the risk in relevance to the business,” he said. “I want to be able to quantify cost in terms of business days lost, breach/hack cost, loss of revenue and loss of profit.”
In these situations, CRQ helps CISOs answer top of the mind questions like: “what is our expected financial loss from cyber-attacks?”, “are our cybersecurity investments adequate?”, and “what do we need to do differently to reduce our cyber risk?”
For security leaders, it is critical that cyber risk is quantified in monetary terms so that their CFO, CEO and board can appreciate the amount of risk in business terms. Calculating breach risk in monetary terms provides a common language that organizations – from security engineers and IT admins to the CISO, CFO and CIO – can use to prioritize projects and spending, and track the effectiveness of their overall cybersecurity program. This is even more useful when risk can be broken down by business unit, geography, site or business owner.
One of the case studies we conducted with a Fortune 100 manufacturing firm revealed eye-opening insights around the state of cyber risk quantification. The reports are put together via manual spreadsheets, which takes painstakingly longer. Beyond that the gap areas are evident on several dimensions, as outlined in the table below.
A security leader of the manufacturing organization we spoke with expressed the pain of having to search through multiple security systems. He noted that the overall disjointed experience is time consuming and often leads to inaccurate data that causes ambiguity in understanding the risk. Instead he was looking for premade dashboards that can be split and sliced on the basis of industry verticals and that clearly articulate risk in dollars, a language understood broadly.
In our conversations, we are increasingly seeing the need for having dashboards with cyber security health metrics, split as per key business units and expressed in monetary terms.
In speaking with security leaders, a consistent requirement was to have an automated drilled down view with business metrics as the starting point but with a link to the operational causes leading to the quantified risk metrics shown on the dashboard.
For example, a VP of Cyber Security at one of the large banks we spoke with mentioned that, “the reports specific to mean time to remediate (MTTR) will allow my team to benchmark against their internal SLAs and will also demonstrate a good picture for executives on the remediation strategy.” The CISO of a natural resources company was also looking for ways to empower their team to build custom dashboards suitable for their context and act on the findings.
These interactions revealed that having a static CRQ dashboard isn’t enough as most security leaders are looking for traceability to the factors leading to the state of metrics. And CISOs are looking to do this quickly. As one of the leaders we spoke to said, “the most important thing for us is speed”. A static dashboard to communicate with the board is not enough. They also want operational cyber-risk dashboards with actionable insights to drive risk reduction.
With Balbix’s CRQ solution, security leaders can unify all of their cybersecurity data into a single comprehensive cyber risk quantification model. In doing so, everyone – from security analysts to the board – is provided with a view of cyber risk in dollars. Cyber risk can be easily reported according to business needs. CISOs can quickly demonstrate the value of their cybersecurity program and provide the ROI for future security investments. And, security teams can operationalize high velocity risk reduction and make better decisions faster.