The CFO/ CRO is likely to define cyber risk acceptance thresholds and anything that breaches the threshold would need remedial measures.
Over the past few years, the discourse around cyber security has subtly shifted from prevention and detection to cyber resilience - the capacity to withstand and/or recover from a cyber incident quickly to resume operations and limited impact - a sign of be-grudging acceptance of the inevitability of a data breach. Akin to fraud loss in the banking and finance sector or shrinkage in the retail sector, cyber related losses may soon find themselves on the “cost of doing business” list in an increasingly digital first business world that we have come to live in.
This is probably a good thing for two reasons –
1.Businesses finally recognise a cyber-attack as a credible threat to their bottom-line, thus helping the security leader get his long overdue seat at the table.
At some point, the CFO/ CRO is likely to define cyber risk acceptance thresholds (how much hit in dollar terms are we prepared to take from cyber-attacks every year) and anything that breaches the threshold would need remedial measures. For the CISO, this opens a window of opportunity, to secure an investment corpus to meet his cyber security goals.
However, this can be a double-edged sword for the CISO. On one hand, this allows an opportunity to table the risks and the associated budgets to mitigate the risk. But on the other, it also puts an onerous responsibility of backing up the proposal with hard numbers that provides a compelling business case, that can stand up to financial scrutiny.
Generally, the ROI metric is widely used to make a case for project funding (number of new customers that a proposed marketing campaign will bring in, leading to “x%” increase in top-line or bottom line, “y” dollars saved in manpower costs each month due to automation etc).
Unfortunately, the ROI metric is of little value in our world, as investment in cyber security is dilutive (it doesn’t generate positive returns). In fact, cyber security solutions depreciate (lose their value) quickly over time because of –
the increasing financial wherewithal and technological sophistication of threat actors that easily overwhelms the defenders
the polymorphic nature of attacks
the unwillingness or inability of security teams to utilise a cyber security solution to its fullest potential (reasons vary - a survey found that most organizations use only 10% of the available features offered by a security solution as the security team deploys the tool in a hurry and moves on to some other exciting technology, or a solitary skilled engineer moves out of the company or an inferior product is bought that falls short of delivering on its promise)
So, instead of the ROI metric, the RoRR or Return on Risk Reduction may be a more appropriate metric to showcase value - i.e, how much risk in dollar terms does a solution / project reduce, for every dollar that is spent on implementing and managing it effectively over a defined period.
To make financially viable cyber security decisions, we should perhaps look at two things –
Investing in cyber security solutions and processes that have a low rate of depreciation – It may be prudent to choose solutions that retain their utility or allow themselves to be continuously (and easily) tuned to remain effective over a longer period, even in the face of a dynamic threat landscape. Technologies that amplify or substitute human effort (automation) and compensate for human error/ attention deficit/knowledge gaps tend to offer good value.
We must also bear in mind that cyber security suffers from the law of diminishing marginal utility; beyond a point, every additional investment in cyber security technology does not proportionately improve the security posture and in some cases, may degrade security.
This is due to newer risks being introduced into the environment because of emergent complexity due to technology sprawl, lack of vendor interoperability and support issues arising from consolidation, mergers and acquisitions in the cyber security industry. Thus, more investment budgets and cyber security tools do not necessary translate into better security.
Here is a list of cyber security technologies that according to me, continue to offer an excellent risk-reward trade-off today -
- Firewalls (Network firewalls, Web Application firewalls, Identity based firewalls)
- Two factor Authentication
- Endpoint Protection, Detection and Response (EPP+ EDR)
- Advanced Email Security (Anti-APT)
- Automated Asset Inventory Management
- Continuous Security Assessment (assessing infrastructure and applications for vulnerabilities, and compliance to secure configuration best practices)
- Security Awareness and Training (including phishing simulation)
- Secure Web Access Gateway
- DDOS protection
- Security Monitoring, Threat Analysis and Incident Response
Interestingly, around the same time last year, a leading cyber insurance broker launched its inaugural cyber security evaluation program to help organizations gain better clarity in choosing security solutions in an over-crowded market place. The program evaluated solutions on key criteria, such as -
Demonstrated ability to address major enterprise cyber risk such as data breach, theft or corruption; business interruption; or cyber extortion.
Demonstrated ability to quantitatively measure and report on factors that reduce the frequency or severity of cyber events.
Demonstrated viability to address different client-use cases
Demonstrated ability of users to successfully implement and govern the use of the product to reduce cyber risk (their efficiency)
You can read more about this program here.
2. Adopting a methodology to build and present a convincing business case by quantifying cyber risks in financial termsthat the project aims to mitigate/ reduce and measuring the return on risk reduction offered, if the proposed cyber security solution/process were to be implemented
At first glance, the concept of cyber risk quantification seems abstract and even intimidating. Detractors cite lack of verifiable published industry data on actual financial losses incurred by victims, the inability to estimate perceived intangible losses that accompany a breach (brand reputation loss, loss of customer confidence and trust) and the lack of a proven model that takes into consideration the large number of causal variables that could lead up to an incident.
But just because it is difficult to do, doesn’t imply that its not useful or impossible to implement. Cyber Risk Quantification has been attracting a lot of interest, attention, effort and investment and may soon become an indispensable tool in a CISO’s arsenal while having budget conversations with the finance and procurement leadership at the organization.
Some of the notable thought leaders and risk management experts of our era, Doug Hubbard, Jack Freund and Jack Jones have challenged the prevailing cyber risk assessment and measurement methods in use today and they make a strong case for adopting a more scientific and consistent cyber risk quantification method for go – no go decisions.
One of the popular cyber risk quantification models is the FAIR (Factor Analysis of Information Risk) method which defines risk as the probable frequency and probable magnitude of future losses and offers an elaborate mathematical framework and toolset to quantify risk.
Applied correctly, the FAIR method can help arrive at reasonably realistic estimates of -
the probability of a specific cyber-attack/breach on your organization (We are most likely to see 4 high bandwidth DDOS attacks on our e-commerce portal next year, 1 attack at a minimum and 9 attacks at the upper end)
the average cost per incident, including revenue loss, reputation loss etc (There is a 20% chance that we will lose USD 10 mil at the lower band and a 5% chance that we may lose USD 25 mil at the upper band and our most likely loss could be USD 10 mil per event)
the resulting annualised loss exposure or quantifiable cyber risk (We stand to lose USD 40 mil from DDOS attacks next year)
the cost and the reduction in likelihood of an attack if the proposed control is implemented (A fully managed Anti-DDOS service from our ISP is available for USD 1 mil/yearand is likely to reduce the likelihood of a successful attack by 50%, which would reduce our loss from USD 40 mil to USD 20 mil),
The Return on Risk Reduction metric in this case, would work out to 20x. Quite substantial for the CFO to take the proposal seriously.
This illustration is obviously an over-simplification and does not adequately convey the effort and rigor that would go into creating a real-life financial business case using FAIR or any other cyber risk quantification model for that matter. However, it does offer a glimpse into a novel way of evaluating cyber risks in the context of their relevance and impact to the business - a significant departure from the green amber red heat-maps or the High-Medium-Low triumvirate that have come to dominate our risk management practice.
Learning and applying this methodology, specially in big-ticket investment decisions and bouncing this off with the financial team could be well worth the effort and turn out to be an insightful and useful exercise.
The probability of success is difficult to estimate; but if we never search, the chance of success is zero. – Philip Morrison, Quantum Physicist
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?