The days of presenting vague traffic light metrics to secure IT budget are numbered, writes Saket Modi, CEO of Safe Security
Time and again, we’re told of the colossal financial risks inherent in cybersecurity threats.
The IBM Cost of a Data Breach Report shows that the average financial damage of a breach soared from £3.2 million to £3.4 million in 2021 – the highest cost on record. Indeed, that’s a powerful and persuasive sum that will help CISOs illustrate cybercrime risk.
But it’s not always easy to convey the value of the cybersecurity team’s work to ensure an expensive incident never happens – or minimise costs when it does.
The good news is CISOs can now leverage a new and powerful way to communicate with board executives: ‘Cyber Risk Quantification’.
Here are some ways you can implement this approach:
Draw on the power of metrics
Cyber Risk Quantification incorporates data points gathered across a business and presents the likelihood of a breach as one easily understood metric.
This single metric is much more powerful than disparate data points – allowing CISOs to show the potential cost of an attack and the reduction of the cost from investing in cybersecurity initiatives.
Granular risk assessments can also highlight the financial impact of failing to address a known vulnerability or highlight the risk posed by specific applications, devices, cloud instances or even third parties. Crucially, it helps organisations move away from a reactive approach to cybersecurity and towards a proactive one.
Modern security systems gather too much data for the C-Suite to digest. With a risk quantification system delivering the monetary value of damage, executives have a metric which speaks their language.
Forget red, amber and green
Many organisations use legacy techniques to illustrate the level of risk to their business, such as the infamous red, amber and green ratings. This vague rating scale is out-of-date, because businesses can now quantify the risk, rather than simply describe it in three loose, and often overlapping, categories.
A cyber risk score that translates into a dollar value is a shorthand that allows security heads to plainly communicate the impact of various security issues and secure buy-in for the budget needed to resolve them.
Beware the peril of point products
When a new vulnerability is discovered, it can be tempting to simply install a new product. But this approach quickly leads to bloat and inefficiency.
Small businesses now use up to 20 different security tools, and large companies could have in excess of 130, which has created a data explosion. It’s estimated that businesses will cumulatively spend around £1.42 trillion on security in the next five years.
While access to reliable, real-time data streams is a critical aspect of maintaining a strong cybersecurity posture, too much information is difficult to manage and apply within the business.
When trying to communicate cybersecurity risk and value, CISOs can benefit from using fewer products – which will also keep the accounts department happy by reducing cost. The metric should be as simple and easy to understand as possible.
Address the human problem
Human vulnerabilities should be measured and used to build a risk score. It is obviously more difficult to monitor employees than it is to measure the performance of technical infrastructure.
Discovering the individuals or departments that are most likely to fall victim to phishing is one way of quantifying the human risk. Another would be to scan employees’ devices to discover their use of security controls such as secure connectivity, passcode protection, OS patch installation status, and jailbreak status.
When building a risk score, it is critical to include the human element.
Assess everything
A Cyber Risk Quantification model draws on data from every element of the business, including people, technology and even policies and procedures for first and third parties, including the supply chain. This information should be contextualised against other factors such as the size of an organisation, its geographic location and industry.
Finally, all data gathered during a risk assessment should be compared against real-time threat intelligence.