3 Business Concepts Every Cybersecurity Risk Analyst Should Know

Try this statement on for size:
“If we reduce the surface area for attacks we can reduce our risk thereby reducing our cost of goods sold.”
Did that sound like a foreign language? If so, buckle up; this message is for you.

Speaking the language of business

Risk is about forecasting future loss. Credit risk puts loss in business terms: dollars and cents over time. Putting cybersecurity risk analysis results in business terms is a clear step forward. But, if we only go this far we leave a lot on the table.

Here are three concepts to help bridge the gap:

  1. Profit & Loss (P&L)
  2. Customer Acquisition
  3. Customer Value

Learning these concepts will improve the value of risk analyses to your organization.

1. Understand Profit and Loss

Arm yourself by knowing how to read and reference profit and loss statements. Tying forecast risk to changes in cost and revenue is a step toward maturity. Impress business leaders by aligning the cybersecurity landscape to a P&L.

2. Know your Customer Acquisition Channels

Customer acquisition is directly linked to cash flow, the lifeblood of an organization. The goal here is to flesh out the ways your organization earns new business. Most people I run into know the channels. Yet, not enough understand the critical steps affected by cybersecurity concerns. Tuning into product channels forces analysts to align with management.

3. Learn how your organization performs Customer Valuation

Understanding customer acquisition is the pathway to customer valuation. When we work with new customers we want to understand how they valuate customers. People who specialize in measuring customer value often work in:

  • Product management
  • Business analysis
  • Sales
  • Marketing

Sometimes we do not get access to the values on time. 10-K or 10-Q reporting serve as reasonable fall back. Forecasting reputation losses are often the scariest outcomes of an analysis. The ability to illustrate the effect on key business metrics, such as churn, is powerful.

Putting it all together

You don’t have to earn an MBA to competently use these concepts in your analyses. Exploring the tip of the iceberg should improve the quality and reliability of your work. You should also experience improvement in your ability to communicate risk within the business.

What next?

Are you eager to see this level of business rigor in your organization’s risk analyses? At RiskLens, we talk about these and many other core concepts in our training courses. We teach students about the FAIR model and how to leverage it when conducting analyses. FAIR is both a taxonomy and an ontology of the factors that contribute to risk. The model provides clear nomenclature to enable a dialog regarding risk among technical and non-technical employees and most importantly: quantify risk in dollars and cents. If you’re interested in learning more about FAIR, contact us to discuss training for your team.