Why Organizations Must Quantify Cyber-Risk in Business Terms

There's no doubt that cyber incidents are a top concern for business leaders today. Decision-makers around the world view data fraud, data theft, and cyberattacks as among the top five biggest risks they face, according to the World Economic Forum's "Global Risks Report." That's because cyberattacks can have a huge impact on a business — look at the estimated $300 million in costs after the NotPetya malware shut down operations at Maersk and that Verizon paid $350 million less for Yahoo after it suffered two cyberattacks. The average cost of cybercrime to an organization has risen to $13 million, according to a recent Accenture report. For businesses of all sizes and industries, cyber-risk is business risk.

Security leaders who are struggling to get the resources and support they need to protect their environment against cyberattacks often have an uphill battle when it comes to making their case to the CEO and the board. That's because they aren't able to translate cyber-risk into language the business executives can relate to or even quantify the risk. The CFO and heads of every other business unit speak the language of business, but not the security teams. Security leaders need to quantify cyber-risk in business terms; they need to make clear what the impact could be on the organization's value creation — business operations, reputation, and loss exposure in terms of dollars — all of which affect the future of the organization.

This problem is widespread. According to a recent study conducted by Ponemon and Tenable, more than 90% of respondents report experiencing at least one damaging cyberattack over the past two years, and 60% have had two or more. However, less than half of respondents say they measure the costs of cyber-risks, and only 41% attempt to actually quantify the damage. This lack of confidence in the accuracy of their measures means that security leaders aren't sharing critical information with their boards about the business costs of cyber-risk. Indeed, some security leaders report that news headlines and perceived risks, rather than quantifiable ones, are driving some top-down decisions.

Risk Quantification Best Practices
Security leaders can learn from other industries about how to quantify risk in business terms, like financial services, which has been out in front when it comes to managing risk. People don't let banks manage their life savings if they don't understand the risks and guard against losses. Financial services and cybersecurity aren't that dissimilar. Both feature increasingly complex systems and could suffer catastrophic damage in the event of failures that can cascade out into entire industries and geographies.

Cyber-risk varies depending on the type of organization affected and the potential harm. Two examples of cyberattacks that pose significant risk have targeted industries that are critical to the functioning of civil society. In 2015 and 2016, Ukraine's power grid was disrupted by nation-state attacks. Just recently, US officials revealed a much less serious cyberattack in March that briefly affected a grid control center and small power generation sites in California, Utah, and Wyoming. Meanwhile, persistent ransomware attacks over the past few years have forced untold numbers of hospitals and cities in the US and elsewhere to pay cybercriminals in order to get their computers back online. In those examples, the loss of basic utility services and potential harm to human life are key factors in the risk equation. For most businesses, however, the cyber-risk is primarily reputational and financial as a result of: loss of business due to downtime; loss of customers; theft of intellectual property or data; legal, labor, and cleanup costs; and fines due to lack of compliance with regulations.

Reliable, Accurate Metrics
What do top executives and boards need to know to make informed business decisions that affect the organization's security programs? They must discover where in their environment they have exposures using quantifiable metrics, including what data and assets are vulnerable, as well as the location of prior security incidents and how they happened. That information helps them prioritize technology purchases and deployments based on risk. Decision-makers also need to know how security teams are reducing their cyber exposure over time, as well as how they compare with their peers. Security teams must correlate vulnerability data with other risk indicators, such as threat intelligence and asset criticality, in order to automatically score, trend, and benchmark an organization's cyber-risk.

There are a number of forces pushing organizations toward more effective cyber-risk management. The growing number of serious and costly cyberattacks has prompted boards and CEOs to take a more proactive role in understanding cyber threats and exposure. The rising costs of cyberattacks and data breaches and regulatory fines are driving demand for better measurement and articulation of business impacts. Many organizations have not adopted security metrics that reflect the role that cybersecurity plays as a core business enabler for organizations — but they need to. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."