If cybersecurity is a significant threat, why aren’t business leaders putting their money where their mouths are? Most (89%) C-suite executives claim cybersecurity is a high priority. Yet, budgets are a tell-tale of organizational priorities: the average spend is 0.5% of company revenue.
So why doesn’t the spend match the claims? The answer is simple. It’s because C-suite executives don’t know how much risk they have concerning cybercrime and have no idea how to quantify it.
Quantifying risk is problematic because it requires a detailed understanding of digital systems and in-depth knowledge of other business functions. Defining the unique risk profile of an organization requires knowledge of how all digital assets contribute to the business and the vulnerabilities surrounding them. Cybersecurity leaders, however, are uniquely positioned to perform this service as they understand the technical infrastructure and engage with all aspects of the company. Organizations need a cybersecurity leader to help articulate the value of digital assets for complete risk management.
The Problem
Unfortunately, most businesses don’t know how to quantify cyber risk, so budgets remain underfunded. Without a structured method, they don’t have the vocabulary to discuss priorities, which creates a communication gap between the technical leaders and their executive peers. Most chief information officers (CIOs) rise through the technical ranks and can speak to automation efficiency fluently. Unfortunately, most haven’t been able to translate risk to potential business expense to balance against investment needs.
To fill this gap, many industries have hired Chief Information Security Officers (CISOs). However, CISOs stay in their roles for an average of 18 months and look for greener pastures because they cannot increase corporate visibility and understanding of their priorities to fund cybersecurity initiatives successfully. This means that the perceived importance of cybersecurity doesn’t match the budget allocation and corporate culture. This gap has to be bridged from a business perspective rather than a technical one.
A risk assessment of digital assets is a great place to start discovering what the cost of a potential cyberattack could be. This exercise, in turn, can help the C-suite appreciate the risks and understand the value of mitigation and remediation.
Risk Assessments Blend Business and Technical Knowledge
Digital risk management naturally resides within the cybersecurity function, but most companies view them as a purely technical function. This perspective squanders highly skilled resources and isolates their expertise from the broader business.
To translate technical capabilities to business decisions, organizations need the vocabulary and structure to help them understand how and why the company should prioritize cybersecurity. The real issue isn’t security; it’s about risk management’s cost/benefit balance, and CIOs and CISOs are uniquely positioned to educate their organizations and tangibly quantify risks. They are responsible for the data infrastructure, so they know where and what data is available. Conducting a risk assessment can propel them to engage with other aspects of the business to understand the use and value of data. They are also in a position to know vulnerabilities associated with that data within the infrastructure.
Categorizing Data
However, for CISOs to truly understand the use and value of the organization’s data, all data needs to be categorized and evaluated. To do this, analysts need to identify where the data is, the source of value, and its cost.
For example, the cybersecurity team should know the location of data and work with its business owners to understand how it’s used. The partnership can then establish the quantifiable value of the data in its appropriate context:
• Market-based: the value derived from market price, such as the value of PII or login credentials sold on the dark web.
• Cost-based: the cost to create, store, analyze, and transport data.
• Utility-based: the value that comes from cash flow generated when using data.
• Externalities: The potential future value of data once it has been fully conceptualized and offered to the market.
Once data assets have been identified and assessed, the CISO and the business have quantified risk in monetary terms.
Vulnerability Assessments
The next step is to conduct a vulnerability assessment, which takes more effort than asset value but should be a core competency of the cybersecurity team. It requires in-depth knowledge of the organization’s architecture, configuration, software versions, and administrative processes. It’s more than just an inventory list with identified bugs. Vulnerability analysis summarizes people, processes, and tools within the system. It must include how:
• the systems operate as an ecosystem
• vulnerabilities are systemically identified and managed
• end-user knowledge and application of security practices
• access control, configuration, and authentication are management
Vulnerability assessments provide the organization with information about the security weaknesses within the environment, the severity and value of risk they create, and how much it would cost to remediate or mitigate the issues.
If CISOs align the vulnerability assessment with the data valuation contextually, the C-suite will be able to understand the risks in financial terms and make clear-sighted decisions about business priorities. All organizations have unique risk profiles that evolve, and an annual risk management assessment is essential to understand and manage your infrastructure well. In fact, annual risk assessments are becoming an expectation of fiduciary responsibility for business leaders.
Blended Risk and Vulnerability Assessments Quantify Business Needs
Some companies can get away with just “checking the boxes” with a generic security architecture.
Challenge your organization to determine its risk profile and identify the right security architecture based on its cost/benefit analysis. As a result, you’ll be able to make clear-eyed decisions about assuming and mitigating risks. In addition, you will have elevated security to a business discussion that the board will want to review.
Our modern digital world has high stakes, and most business leaders are flying blind. But unfortunately, cybercriminals are upping their game because they know that most organizations have valuable data that are relatively unprotected. That data can either be sold or encrypted and held for ransom with little or no risk to the criminal but with severe consequences to businesses. As a result, risk management in the digital world will make or break many companies, and executive leaders need to treat it as a fiduciary priority.
