“If we reduce the surface area for attacks we can reduce our risk thereby reducing our cost of goods sold."
Speaking the language of business
Risk is about forecasting future loss. Credit risk puts loss in business terms: dollars and cents over time. Putting cybersecurity risk analysis results in business terms is a clear step forward. But, if we only go this far we leave a lot on the table.
Here are three concepts to help bridge the gap:
- Profit & Loss (P&L)
- Customer Acquisition
- Customer Value
Learning these concepts will improve the value of risk analyses to your organization.
1. Understand Profit and Loss
Arm yourself by knowing how to read and reference profit and loss statements. Tying forecast risk to changes in cost and revenue is a step toward maturity. Impress business leaders by aligning the cybersecurity landscape to a P&L.
2. Know your Customer Acquisition Channels
Customer acquisition is directly linked to cash flow, the lifeblood of an organization. The goal here is to flesh out the ways your organization earns new business. Most people I run into know the channels. Yet, not enough understand the critical steps affected by cybersecurity concerns. Tuning into product channels forces analysts to align with management.
3. Learn how your organization performs Customer Valuation
Understanding customer acquisition is the pathway to customer valuation. When we work with new customers we want to understand how they valuate customers. People who specialize in measuring customer value often work in:
- Product management
- Business analysis
- Sales
- Marketing
Sometimes we do not get access to the values on time. 10-K or 10-Q reporting serve as reasonable fall back. Forecasting reputation losses are often the scariest outcomes of an analysis. The ability to illustrate the effect on key business metrics, such as churn, is powerful.
Putting it all together
You don’t have to earn an MBA to competently use these concepts in your analyses. Exploring the tip of the iceberg should improve the quality and reliability of your work. You should also experience improvement in your ability to communicate risk within the business.
What next?
Are you eager to see this level of business rigor in your organization’s risk analyses? At RiskLens, w e talk about these and many other core concepts in our training courses. We teach students about the FAIR model and how to leverage it when conducting analyses. FAIR is both a taxonomy and an ontology of the factors that contribute to risk. The model provides clear nomenclature to enable a dialog regarding risk among technical and non-technical employees and most importantly: quantify risk in dollars and cents. If you're interested in learning more about FAIR, contact us to discuss training for your team.