Security continues to grow in importance within the enterprise; its stature has risen to regular board and executive level discussions. Spending on security products and services continues to grow at a furious pace. The current pandemic has heightened focus on the topic as workers shift to remote and disparate working environments creating new opportunities for malicious actors.
According to research by Centrify, 71% of UK-based business decision- makers believe the shift to 100% remote working during the COVID-19 crisis has increased the likelihood of a cyber breach. As a result, both mid- and postpandemic cybersecurity will be viewed as critical infrastructure — as fundamental to business operations as internet and mobile connectivity.
However, as society finds its “new normal” and people return to work, there will be steep hills to climb. The financial and economic impact of the pandemic will be felt for months and years. Estimates are that global economic growth could be reduced by as much as 2% per month and global trade may see reductions of 13% – 32% in 2020. The reality is that budgets will be tight, with companies reducing spending as they start on the path to recovery. Goldman Sachs predicts large US companies will cut spending up to 33% in 2020. These cuts will include all facets of the company, and security budgets, while deemed essential, will face increasing scrutiny and will not be exempt from cuts.
The threat, however, is increasing, not decreasing at this time of uncertainty. Prior to the pandemic, PwC found that on average an enterprise had six incidents of fraud in the last 24 months with financial services being the primary target. IBM noted the cost of data breaches had risen over 130% since 2006 to $8.19M in 2019. The pandemic is making things worse, with the FBI of the U.S. reporting that cybercrime reports have quadrupled during the pandemic.
As threat actors are finding new ways to exploit vulnerabilities, this heightened level of cybercrime is surely going to be part of the new normal. With the threat increasing and pressure mounting on budgets, how can enterprises make sure that their money is being spent wisely in response to the measured risks to the business? How can security leaders demonstrate to the board and executive team that security expenditures are reducing cyber risk, and by how much? And what will be the basis for deciding whether the residual risk is tolerable? These questions are impossible to answer without credible measurements of cyber risk.
If you are not measuring cyber risk you won’t have the visibility to make informed decisions and, at best, may be spending your security budget inefficiently or, at worst, facing unknown exposure to cyber breaches.
The Case for Quantification
In this environment, security professionals must speak in terms the board understands: revenue, cost and risk. They need to lead the discussion and build their case repeatedly with verifiable evidence, not anecdotes.
Security leaders must:
• Understand potential financial losses from cyber-attacks and make financial appraisals of mitigating options
• Understand, evaluate and prioritize cyber risks using the same language as other business critical risks and opportunities
• Evaluate cyber security investment proposals and calculate “return on security investment”
• Make better informed decisions on the requirements for cyber insurance and the levels of coverage required
It all starts with cyber risk quantification. Measuring exposure to financial loss from cyber security breaches is the starting point for any evidentiary based discussion. Until recently, cyber security professionals have been reluctant to employ quantification techniques because they felt that the data was inadequate to feed the quantitative risk calculations and that cyber security risks are too complex to model in this way. However, these objections are no longer valid.
Data scientists have demonstrated how we can estimate financial loss from cyber breaches using not much more data than that currently used to populate heat-maps and scorecards. New techniques for calculating, aggregating and reporting on quantitative risk enterprise-wide have emerged. Vendors have introduced innovation in modeling quantitative risk against the current state, and from there, quantifying the effect of change whether from new cybersecurity products and services, increasing or decreasing KPIs, or from new events such as cyber breaches, threat intelligence and vulnerabilities.
With enterprise-wide scalability, advanced data analytics and reporting, CISOs can now measure cyber risk and use this enhanced visibility to make informed decisions on priorities, budget allocation and investments in new products and services.
“What Gets Measured Gets Managed” – Peter Drucker
Understanding and managing financial exposure to cyber risks allows us to compare against other types of risk and make informed investments and other decisions. To do this we need to quantify this risk in financial terms. A breach’s impact can be very substantial and can include lost business resulting from reputational damage, loss of goodwill, increased customer acquisition costs and customer turnover. Additionally, there can be substantial costs in detecting, investigating and responding to a breach.
Quantifying the Risk
By combining an understanding of the likelihood of an event and its resulting impact it is possible to assess the level of risk an organisation faces and decide whether or not that risk is acceptable. As a very simple illustration, consider a scenario involving the possibility of an activist WebApp attack on an online store: If risk managers think that the likelihood of such a breach in the next week is 10% and the resulting impact would cost $10m and the company faces a $1m risk, they can decide whether or not to tolerate the risk. If they decide this risk lies outside of their risk appetite, they must take action to reduce the risk to levels that they find acceptable.
Assuming the online store is critical to the business model, the company may not have the option to avoid the risk. They may be able to transfer some of the financial impact through insurance, but they still face potential reputational impacts. They’ll need to mitigate the risk by seeking to reduce likelihood, impact or both. They may have little control over the threat level they face, but they can reduce the likelihood of an event by adding more controls or improving the performance of existing controls. The company also may be able to take action to reduce the impact of a breach.
Most organisations will be subject to multiple threats from multiple threat actors. Therefore, it’s safe to assume the organisation will be exposed to multiple individual risks, each of which they must make sure they can tolerate. Even so, the aggregate of these individual risks could represent a substantial total risk to the organisation; they also need to make sure their total risk falls within their overall tolerance for risk.
Uncertainty, Quantification and Aggregation
In practice, we can’t say with any accuracy that the losses from a data breach will be $10m – this may be the most likely loss, but the actual loss could be lower or higher (potentially much higher) with differing probabilities. Similarly, there is uncertainty in the likelihood of an event. We can’t say with certainty, as in our simple example above, that there is a 10% chance of a $10m breach in the next week. In practice, there will be both an impact range and a likelihood range with a corresponding level of risk range. When faced with uncertainty, statistical analysis techniques can and should be used to estimate ranges of risk.
Simple heatmap approaches are also widely used in online risk management. While these can help with risk triage, they are unsuitable for measuring risk and supporting management decision-making. This becomes very apparent when we try to aggregate risks across the enterprise and evaluate the merits of various risk management strategies.
Reporting Quantified Risk to the Board
By eliminating the guesswork through quantification of risk and presenting financially focused information, risk managers will be able to address the board’s key concerns. Risk managers must tie their reporting back to the questions posed earlier in this document: Are security expenditures reducing cyber risk? By how much? Is the residual risk tolerable? There are various ways to present risk data, so it is important for the data to be available on-demand and in a form which can be easily understood.
Risk managers need to be able to provide executives with the following information in close to real time:
• An overview of the identified risks
• Whether the ‘residual risk’ is within acceptable tolerances
• The level of compliance with control standards that are being applied to mitigate risks
• If necessary, the actions that need to be taken to bring the residual risk within risk appetite
• Progress monitoring to track actions through to completion
Risk managers should seek to provide the board with continuous visibility of risks in relation to business objectives and risk appetite. By assessing risks in financial terms, the language that executives understand, better risk decisions can be taken with confidence.
To learn more about best practices for reporting quantified risk to the board, be sure to view our webinar Risk and the Board: Communicating Cyber Risk in Critical Business Terms.