Written by Saket Modi, CEO, at Safe Security
Describing the cost of failing to address cybersecurity threats is easy. The IBM Cost of a Data Breach Report 2021 shows that the average cost of a data breach soared from $3.86 million to $4.24 million in 2021 – the highest average total cost on record. That is a powerful and persuasive statistic that will help CISOs illustrate the financial risk of cybercrime.
However, it is often difficult to convey the value of the cybersecurity team’s work to ensure an expensive incident never happens – or minimise costs when it does. A solution to this problem lies in cyber risk quantification, a model focused on using multiple data points to create a tangible risk value for every asset in the organisation, in real-time. This risk can then be easily translated into a dollar value that can be understood by everyone at all levels in the business.
Through risk quantification, CISOs have a powerful new way to communicate with executives, raise the profile of their work and gain a contextual advantage when it comes to influencing budget allocation decisions. Here are some ways CISOs can implement this approach.
Draw on the Power of Metrics
Cyber risk quantification incorporates data points gathered across a business and presents the likelihood of a breach as one easily understood metric. This single metric is much more powerful than disparate data points, allowing CISOs to show the potential cost of an attack and the reduction of the cost from investing in cybersecurity initiatives. Granular risk assessments can also highlight the financial impact of failing to address a known vulnerability or highlight the risk posed by specific applications, devices, cloud instances or even third parties. Crucially, it helps organisations move away from a reactive approach to cybersecurity and towards a proactive one.
Modern security systems gather too much data for the C-Suite to digest. With a risk quantification system delivering the monetary value of damage, executives have a metric which speaks their language.
Forget Red, Amber and Green
Many organisations use legacy techniques to illustrate the level of risk to their business, such as the infamous red, amber and green ratings.
This vague rating scale is out of date, because businesses can now quantify the risk, rather than simply describe it in three loose and often overlapping categories.
A cyber risk score that translates into a dollar value is a shorthand that allows security heads to plainly communicate the impact of various security issues and secure buy-in for the budget needed to resolve them.
Beware The Peril of Point Products
When a new vulnerability is discovered, it can be tempting to simply install a new product. But this approach quickly leads to bloat and inefficiency. Small businesses now use up to 20 different security tools, and large companies could have in excess of 130, which has created a data explosion. It’s estimated that businesses will cumulatively spend around $1.75 trillion on security in the next five years.
Whilst access to reliable, real-time data streams is a critical aspect of maintaining a strong cybersecurity posture, too much information is difficult to manage and apply within the business. Security teams often find themselves juggling siloed security products and drowning in data without clear and actionable insights.
When trying to communicate cybersecurity risk and value, CISOs can benefit from using fewer products – which will also keep the accounts department happy by reducing cost. The metric should be as simple and easy to understand as possible. Product pile-ups create complexity where simplicity is required.
Address the Human Problem
Human vulnerabilities should be measured and used to build a risk score. It is obviously more difficult to monitor employees than it is to measure the performance of technical infrastructure. Yet a reliable way of incorporating data about human risk is important for all organisations.
Discovering the individuals or departments that are most likely to fall victim to phishing is one way of quantifying the human risk. Another would be to scan employees’ devices to discover their use of security controls such as secure connectivity, passcode protection, OS patch installation status, and jailbreak status.
When building a risk score, it is critical to include the human element.
A cyber risk quantification model draws on data from every element of the business, including people, technology and even policies and procedures for first and third parties, including the supply chain. This information should be contextualised against other factors such as the size of an organisation, its geographic location or the industry it is part of. Finally, all data gathered during a risk assessment should be compared against real-time threat intelligence.
By using this information to generate a risk score with a dollar value, CISOs can convey all this complex information in a moment and start speaking the language of the C-Suite. Conveying risk in terms that resonate with senior executives will help security teams secure investment and result in a safer, more secure organisation.