Taking the Guesswork Out of Communicating Cyber Risk

Featured article by Nick Sanna, President and CEO at RiskLens

There is a consensus within cybersecurity circles that cyber risk quantification (CRQ) is a cornerstone of modern enterprise risk management programs and helps CISOs and security teams communicate cyber risk to the Board.

However, debates around what constitutes cyber risk quantification lead into more murky waters. Is it a risk rating of 1-5, created by polling the security staff? A maturity score based on the number of cybersecurity controls in place? A security rating based on technical vulnerabilities?

These are all widely used metrics but they can fail to tell the whole story. For organizations to clearly identify the scope and set clear objectives to guide their initiatives when planning for risk, they must be able to effectively measure risk, then communicate to executives and the Board.

The Board understands metrics that matter, like the probability of a cyber incident occurring, hours of response time, and money lost, as opposed to the technical speak that most IT and cyber teams are used to. So, how will organizations be able to assess and communicate risk in a quantitative way that takes the guesswork out?

Keeping the Board’s attention

Quantitative risk management programs see higher rates of success when they are driven from the top down. It is of crucial importance that executive teams are aware of, and can understand, the results of risk assessments and how to prioritize projects based on risk reduction.

But how is risk quantified? While numeric rating systems for vulnerability scans or complying with frameworks such as NIST CSF are good technical indicators of cybersecurity readiness, risk quantification should be defined as a means to prioritize and justify business decisions in financial terms. For instance, expressing cyber risk as the probable frequency and the probable impact of a cyber loss event. This way, risk can be quantified in financial terms, a language that makes sense to the entire organization.

It is vital for Boards and senior executives to gain financial understanding of cyber and information risk. With that knowledge, hey will be able to understand the risk reduction and ROI of key security projects. More importantly, this understanding will allow them to make risk-informed business decisions and better fulfill their cyber risk governance obligations.

Gaining insight into risk exposure

To gain this insight into their risk exposure, organizations should shift from an approach focused first on threats and vulnerabilities to an approach that starts with the critical assets. Let’s take a concrete example: Large organizations are overwhelmed with the thousands of vulnerabilities to be patched. They can begin by defining their asset profiles, groups of systems that support critical processes (for instance, manufacturing or billing) which could be impacted in a cyber incident.

The organization can assess what could cause the most damage to an asset profile, for instance an outage or a data breach. With those loss-event scenarios identified, a cyber risk quantification platform can run analyses showing the level of risk (or loss exposure in financial terms) for asset profiles, giving clear direction for first addressing the vulnerabilities that could cause the most loss.

Six advantages to quantitative risk assessments

As the above example showed, one of the key benefits of risk quantification is prioritizing and justifying risk management projects. But there are other advantages to quantitative risk assessment:

1. An established common language of cyber risk for security and risk teams: Risk assessments based on a standard methodology for risk quantification provide a logical and consistent way to understand and measure risk. Once the teams are trained, misunderstandings over what should be considered high or low risk are eliminated.

2. The ability to communicate cyber risk to the business in familiar financial terms: Presenting a finding that encryption will reduce the probability of loss exposure by $5.8 million, or $5.80 for every dollar spent, is a credible statement that is on par with typical cost/benefit analysis and will make sense to senior executives and board members. More importantly, if there are questions about the results, security teams will be able to document all their data sources and provide a paper trail.

3. Comparison and aggregation of risks to understand the top risks and overall loss exposure: Comparing and prioritizing risks isn’t possible without quantification in financial terms. Typically, aggregating risks for a picture of total loss exposure for the entire organization or a business unit requires apples-to-apples measurement among risks. Once these aggregated risk assessments are set up, the analysts can report on how trends evolve over time to show the progress in risk reduction.

4. The capability to triage everyday risks and clean up the risk register: Risk and security teams often find themselves on the receiving end of audit findings or vague requests from executives to assess certain risks that aren’t actually risks – they’re not events that cause loss to the business. Many issues get dumped into the risk register with no way to prioritize them. With a quantitative risk analysis, risk managers can render GRC entries into quantifiable risk scenarios and quickly prioritize audit findings based on business impact.

5. Setting explicit risk appetite statements that can guide decision-making: This can be especially difficult when risks can’t be quantified. Quantified risk assessments allow for cybersecurity teams to identify the loss events that are most relevant, run the necessary analyses and define the risk threshold for unacceptable loss exposure.

6. The ability to meet compliance frameworks in a cost-effective way that satisfies regulators: Many businesses base their cybersecurity programs on frameworks such as NIST, ISO, CIS, which are essentially list of controls and best practices. They help organizations understand areas of control deficiencies. Unfortunately the work involved often vastly exceeds the time and resources available. With quantitative analysis, organizations can understand which compliance activities should be prioritized, based on their impact to the business.

Having clear, explicit objectives is an essential component of a successful quantitative risk management program. It will accelerate the value delivered by cyber risk quantification, generate demand for additional assessments throughout the business and establish a strong foundation for the ongoing program. Most importantly, a quantitative risk management program will help provide a clear, financial value or return that security leaders can present to board members and senior executives, explaining the risk in non-technical terms and justifying how the business can prioritize projects that strengthen security for their new and existing digital growth initiatives.