In an age where boards and directors are more interested in cybersecurity than ever before – rated by Australian directors as the top-ranking issue keeping them ‘awake at night’ – the best way for CISOs and cybersecurity teams to communicate risk is in terms that the executive committee and directors will understand.
As a security leader, that means understanding your audience and the way they prefer to take in information.
However, too often today it’s assumed that the way directors would prefer that cybersecurity risks be quantified is in terms of potential financial impact, just like they would any other business risk.
The theory is that quantifying risks financially not only means speaking to leaders in their own language but also providing them with a new frame of reference to demonstrate the effectiveness of current investment in cybersecurity programs. Where risk is benchmarked as a dollar amount, a board-approved investment should have a material financial impact on risk reduction.
This is the basis of a leading cyber risk quantification (CRQ) framework known as the Factor Analysis of Information Risk (FAIR) model, in particular. But research – both quantitative and qualitative – suggests that expressing cyber risk in financial terms has some significant drawbacks, notably that it’s hard to implement and may not lead to desired outcomes.
It’s All A Numbers Game
Let’s deal with the quantitative results first.
As Gartner research shows, communication with the board, C-Level executives and other risk owners accounts for three of the top five reasons that any organisation goes down the path of trying to express cyber risk as a dollar amount. However, the same research also shows the challenges with CRQ, particularly with achieving mathematical calculations of cyber risk. This, in turn, is impacting the cut-through that CISOs are able to achieve with their board and C-Level stakeholders.
Gartner’s research shows that only 20% of CRQ adopters have gotten to the point of using “statistical modelling techniques” to calculate risk, while the largest percentage are at a sophistication level of estimating risk “in terms of ordinal scales” – a non-mathematical based ranking of priorities.
The results of CRQ activities so far are mostly awareness-based, resulting in “increased credibility”, better risk alignment and understanding of cyber insurance needs – but are yet to improve, for example, the prioritisation of security work.
Practical Implementation Is Where Things Fall Apart
CISOs that have gone down the path of trying to express risk in dollar terms also report that it can be challenging and that it can lead to undesirable outcomes that differ from those promised by proponents.
A key challenge associated with putting a dollar figure on cyber risk is that different people are going to make different calculations. Potential conflicts of interest arise in how the risk figure is calculated, depending on who’s doing the maths and what their objective is. For example, if the objective is to get a certain project or investment approved by the board, such as licensing a new system or to hire extra resources, that may affect how risks are presented and a financial cost is assigned. As one CISO noted, the impact of an incident “could be portrayed an order of magnitude greater or lesser, depending on the story you want to tell and the cost factors you choose to take into consideration.”
A second challenge is that the calculations are an inexact science. There may be a lack of support data to accurately determine the probability of a risk materialising, and then what the financial impact of that would be.
Boards will also have their own ideas: when presented with risk as a dollar figure, few directors are likely to accept the figure at face value. Once questions are asked and answered, some are likely to see the risk-based cost as lower, while others may view it as higher.
Aside from deep scepticism, the topline figure – especially on the higher side – may induce panic or an unanticipated response from directors. One former CISO said a high estimate of risk on a business unit responsible for 30% of net operating margin, intended to show that protections should be adequately resource, persuaded directors instead of the merits of divesting it, to reduce overall risks being carried.
While CRQ remains potentially valuable, the consensus is not to put too much on making it financial-based. Instead, one CISO measures risk and prioritises resources based on what assets they think an adversary would find most valuable. Another suggests collaborating more closely with directors to learn about how they’d prefer to understand cyber risks, rather than simply guess that dollar amounts are the best or most easily communicated method.
All of which is to say that while there are many ways to quantify cyber risks, from dollars to downtime, what’s important is that the method you choose clearly communicates risk, how you’re compensating for it, and aligns with the methods the rest of your management team uses.