Cyber Risk Quantification — a valuable tool for today's CISO
For years, cyber defense has traditionally been a primarily abstract exercise. The Chief Information Security Officer (CISO) is charged with protecting the organization against relatively nebulous and undefined threats. You know the danger is lurking somewhere, but you can’t quite define the risk in concrete or tangible terms.
However, as technology has become essential for every aspect of business operations and the threats have become increasingly common and costly, the role of CISO has evolved to become more critical. Rather than serving as a supporting character whose primary purposes are to keep the machines running and troubleshoot errors, the CISO is expected to contribute materially to business resilience and growth.
Because of this shift toward more strategic expectations, the CISO must translate cyber security — risk, prevention, mitigation, and ultimately resilience — into business language to make it relevant across the entire organization.
Cyber risk quantification (CRQ) has emerged as a valuable tool for doing just that— defining and articulating risk in financial terms to help guide decisions and actions and an understanding of the return on investment in making the organization more resilient.
More than just a “nice to have,” CRQ is becoming necessary for many organizations as boards, governments, and regulatory bodies push for greater accountability. For example, the UK government is suggesting organizations treat cyber risk the same way they would financial or legal risk, complete with a proposed code of practice for governance.
Yet simply conducting an assessment isn’t enough. Even when CISOs understand the risks and implications, communicating them clearly to the rest of the organization, the executives, and the board can be challenging.
Here are some best practice tips for leveraging CRQ to gain buy-in for the investments you need to make:
How to mitigate and communicate cyber security risk and justify investment
DO communicate the risk in financial terms.
Business leaders make decisions based on business metrics. As CISO, you’ll need to contextualize risk in a language they can understand and define it with hard numbers, not traffic lights and pie charts. Cyber security is a business function that needs to be managed, just like talent, processes, innovation, and technology. We invest in tools to manage risk and optimize performance in those areas—cyber security should be no different.
DON’T scaremonger.
You’ll certainly want to present evidence of the risk and potential harm that could come as a result, but avoid being overly threatening or using a condescending tone. Recognize that the executive team or board of directors is trying to balance the entire organization’s needs. While you want them to take cyber risks seriously, the sky is probably not actually falling, and an overzealous approach may come off as siloed or out of touch with business realities.
DO make it about protecting other investments.
For decision makers, part of balancing the needs of the organization includes making sure their other investments have the best chance of success. That’s where cyber security comes in; it can protect investments you’ve already made and those you will make in the future.
Think of it this way: you wouldn’t buy an expensive sports car without a security system, a garage to store it in, or insurance to cover the loss in the event it’s stolen or wrecked. In the same way, cyber security investment ensures every other initiative in the organization will be more resilient, more thorough, and have a lower risk of failure.
DON’T get too technical.
Your fellow execs and board of directors may not need (and probably don’t want) to hear the technical details of which tactics the latest threat actors are deploying. They just need to know the likelihood of an attack, the potential for damage, and whether your organization is equipped to prevent it. Explain it in terms they can understand, such as the likelihood and potential impact.
Consider employing a traditional 5x5 risk matrix, which is commonly used to quantify risk across various business sectors. If the potential impact of an event is significant but unlikely, you’ll naturally have a harder time getting buy-in. But if the impact is existential, no matter the likelihood, you’ve got a pretty compelling case.
DO point out the risk of doing nothing.
Asking for a multi-million investment to completely remove legacy systems might seem over-the-top unless it’s required for regulatory compliance. Suddenly, it becomes a bit more important.
If you do nothing, what vulnerabilities are you leaving exposed? Are there compliance issues and potential fines? Are you risking new business? Are you putting customer data at risk? Decision makers need to know the potential consequences of inaction.
DON’T jump in too soon.
While CRQ is becoming increasingly important, don’t invest in a CRQ assessment until you’ve laid a solid cyber security foundation.
For example, say you’re using the CMMI Maturity Scale. Suppose your aggregated score for cyber control maturity is less than 2.5. In that case, any assessment is highly likely to uncover foundational controls that can be implemented without the need to quantify risk – so consider how you phase your approach to leverage the output most effectively. Not to mention, documenting your cyber risks without building the capability to address them could have potentially negative implications down the road.
DO explain personal liability.
CISOs and other company leaders may be (and have been) held personally liable for a breach when it’s been found they were aware of vulnerabilities and either chose not to act or covered them up. The organization needs to have a legal strategy for cyber incident response, including prioritizing integrity and recognizing that anyone suspected of obfuscation or misrepresentation can be held personally accountable.
This is more prevalent in the US with now-mandated SEC disclosure requirements, but other countries are starting to follow suit with their own guidelines.
DON’T promise to eliminate all risks.
Not only is this completely unrealistic, but it is also undesirable. Every business needs to take on a certain amount of risk to function and be innovative. An acceptable level of operational risk allows you to push boundaries and be competitive but is not overly cautious to the point of paralysis. Business leaders understand risk-benefit analysis, so quantify your risk in these terms and decide what level you’re willing to tolerate.
NCC Group supports CISOs with cyber risk management expertise
As CISO, you are keenly aware of cyber security risks. You can probably gauge your organization’s risk by tuning into the latest threat intelligence from a specialist provider, following the news, networking on professional forums, and understanding your organization’s infrastructure.
But just as you probably can’t put together the most prudent financial strategy for an upcoming business merger or a cost-effective employee benefits package, you can’t expect your colleagues in finance and HR to understand how to manage cyber risk. And indeed, your board of directors can’t know all the ins and outs of every business function.
That’s why CISOs must be able to articulate and quantify cyber risk in business terms, speak the same language as fellow business leaders, and explain how it impacts every other area of the business.
If your organization is looking to reach the next level of cyber maturity, a CRQ exercise can help. NCC Group’s Rapid CRQ Assessment combines our expertise with AI-fueled insights to benchmark your risk level across people, processes, and technology. Then, our experts provide actionable insights and recommended mitigation tactics. Using these outcomes, CISOs can communicate clearly, provide data-driven evidence, and answer tough questions from stakeholders to validate strategic investments.
Director of RM&G, NCC Group
James started in cyber security, purely by accident, in 2008. Initially working on PCI DSS and ISO 27001 compliance projects with private sector clients before becoming a QSA in 2012 and joining NCC Group in 2013.
James is a Director within NCC Group’s Consulting and Implementation practice working primarily with private sector clients in industries including FSI, TMT, professional services, and retail.
James’ focus is on building cyber security programs to help organizations improve their cyber resilience. James is also part of our Strategic Advisor team and regularly speaks at client events, including NCC Group’s CISO Council.
Eager to raise your cyber maturity?
Get in touch with the Strategy, Risk, and Compliance team to learn more about cyber security risk quantification best practices or jump right in with a CRQ Assessment today.