CIOs and CISOs must learn to explain cybersecurity risks and vulnerabilities using language and models that business leaders can understand by quantifying their potential impacts in financial terms that meaningfully prioritize the necessary budget to manage them.
Even though cybersecurity is recognized as one of the greatest risks to current business, this understanding is rarely reflected in organizational budgets. Budgets are perhaps the most obvious indication of an enterprise’s priorities, and cybercrime’s growing impact is certainly not matched by the average cybersecurity spend of just 0.5% of company revenue.
The reason for this is simple: Most C-suite executives still today don’t have a clear picture of the real risk they face from cybercrime, and even less understanding of how to explain the impact of that risk in dollar terms to investors and shareholders.
This understanding is often still seen as something that requires a detailed understanding of digital systems and is often left up to the technical IT and security operations team to explain. This assumption avoids the requirement for in-depth knowledge of other business functions, making quantifying cyber risk in business decision accessible terms no easy task.
Although it is true that complex digital assets contribute greatly to any business, and those assets will all have vulnerabilities at every level that can impact on their normal function, your business is about more than those assets and it is easy for the cybersecurity risk to be hidden in the technical jargon around digital complexity.
In order to define a company’s individual risk profile, you need an understanding of how your business makes its money, this is especially true when considering how cybersecurity risk affects your ability to make and profitably retain that money.
This means that although all businesses should conduct a regular cyber risk assessment of their digital assets to learn what the cost of a potential cyberattack could be, those assessments must be made from a perspective of business value at risk, not just technical threat exposure.
Such risk assessments are great tools for helping the C-suite to fully appreciate the risks, but they must also be designed to assess the appropriate risks in the context of your actual business in ways that clearly justify the value of effective mitigation and remediation.
The key here lies in being able to translate the cyber risk impact of technical and procedural vulnerabilities into business decision supporting initiatives. This requires not only the right vocabulary and structure to help the board understand where, how, and why the company should prioritize cybersecurity, but must be solidly aligned with the delivery of the business strategy and value growth objectives.
This is where chief information officers (CIOs) and chief information security officers (CISOs) come in – they are uniquely positioned to not only understand how the technology a business deploys creates value, but to tangibly quantify value damaging risks and thus outline an actionable risk management cost/benefit balance. This is the business case for cyber risk management.
The CIO and CISO no longer simply function as specialist owners of technology and security but are now the people best positioned to manage the discovery of vulnerabilities and threats to business data. They are then able to explain potential damage and loss in real dollar terms within the context of the logical and technical infrastructures that business requires just to operate. This is functional cyber risk management at its most basic level.
After all, the CIO and CISO are accountable for delivering and securing the data infrastructure that drives the business, which means they already need to know where and what data is available, and most importantly the real value of that data to the economic success and operation of the business itself. This provides the perfect framework to explain the value of cyber risk prevention against any loss of availability, accuracy, or privacy that can occur.
Once these critical data assets, systems, and processes have been identified and assessed, the CISO or the CIO are then the best able to use this understanding of vulnerabilities to quantify real cyber risk impact to business value in the same monetary terms that are used to describe any business case.
Understanding this the necessity of active vulnerability and threat assessment becomes obvious. This is practically much more complex than simply determining asset value to protect, as although essentially one of the core competencies of the cybersecurity team, not all vulnerabilities are equal. Prioritizing protection and response proportionally against a quantified business risk exposure is the only way to maintain resilient protection within your business risk appetite and remain within budget.
The collaboration of the CIO and CISO with business is now so much more than the security control presence-based compliance reporting that regulatory and commercial policy has required. It is now all about proving control effectiveness, where the cost of the delivery of these controls is measured against the reduction in cyber incidents and avoidance of business affecting breaches and service impact.
This is an approach that not only requires in-depth knowledge of the enterprise’s architecture, configuration, software versions, and administrative processes, but an active understanding of the value at risk and the cost to protect it. Effectively, vulnerability analysis summarizes the people, processes, and tools within the system. Ensuring that value and benefit are part of these discussions is crucial.
These assessments enable the business to clearly understand the security weaknesses within their environment, along with both the severity and the impact value of the risks they create, allowing the business to understand how much it would cost to remediate or mitigate such challenges in comparison to their actual occurrence. They also ensure that the technical security operations reporting has a strong business value element, rather than just reporting events handled.
The answer then is for CISOs not just to align the vulnerability assessment with the data valuation in a contextual manner, but to be able to explain the benefits of investment into cyber security risk management in terms of business value and enabling strategic objectives. In this way, they enable the C-suite to understand the risks in financial terms, and to appreciate the value of investing in systems that can reduce the risk allowing them to make clear-sighted decisions about business priorities.
As the world continues to digitize, and as new AI based data management, analytics and manipulation tools start to demand investment attention, failure stakes for businesses that do not address cyber risk as a key business concern can only increase. Criminals always want to steal as much as possible for as little effort, this is equally true of cybercriminals who will monetize your vulnerabilities for their own benefit. Preying on organizations that have valuable data to steal or extort that remains inadequately unprotected is a cybercriminals business model.
The consequences of a security breach remain significant – in financial, legal and reputational terms – demonstrating the importance of risk management, and how failing to get this right can destroy a business. It is for this reason that CISOs need to be able to effectively quantify and communicate risk, in order to ensure that executive leaders understand it and treat it as a fiduciary priority.
Inadequate assessment and explanation of the real risks of new technology to decision makers is not only a cyber risk issue, more seriously it can also lead to missed opportunities through lack of perspective and failure to competitively exploit new profit and value generation.
An effective risk management program will often include a level of risk transference in terms of insurance. To acquire and retain cyber insurance today requires not only that you have the right policies, standards, and technologies in place, it requires proof that you know how to use them, and that they are actively being used to reduce risk.
Being able to prove that the investment you have made in cybersecurity and cyber risk reduction within whatever technologies your business requires to positively benefit the business bottom line is no longer a luxury, it is a business success requirement. Effective communication and understanding of the real cyber risks specific to your business between the board and C-level has never been more essential. As is proving that you are managing these risks has never been more important to your role as a CIO or CISO.