With budget tight, an IT services firm faced some difficult choices: which of two competing cybersecurity solutions would deliver the maximum defense for the bucks and – bigger picture – which way to go on their security strategy. The company called in a RiskLens team led by Senior Risk Consultant Isaiah McGowan.
Read Isaiah’s notes to pick up the story:
The CISO and his team were tasked with quantifying cyber risk as part of their business cases for prioritizing security projects and making better purchasing decisions. That directive came straight from the board of directors.
At the same time, the CISO had to squeeze everything possible out of a tight information security budget, and they thought that 'quantification' would be the way to do it.
In fact, they actually cut from their budget the purchase of a GRC tool so they could get a quantitative risk analytics solution, which they knew the GRC tool could not provide.
Again, their goals were prioritizing security initiatives and calculating the ROI on cybersecurity spending. In particular, they had two competing security solutions (both emerging technologies) they could deploy and wanted to decide which to go with first.
Now, this is a company with a mature security apparatus and they had data readily available for the analysis on the frequency of threat events and the security posture of the environment. They did not have a lot of data on how much breaches would cost them.
We helped them find the right subject matter experts in the company and helped them identify the questions to ask to get the right data on potential financial losses. Some of these losses included possible fines and judgements, lost market share or lost customer base that might result from breaches, particularly from sensitive customer data they hold.
We also brought loss data to the table, for instance, typical fines and judgment costs or breach-response costs. For reputation loss, we always contextualize it for the customer. Even though we know typical costs, that always varies.
Executive leadership had an inkling that their losses in a data breach could be substantial. But it wasn’t till the CISO pulled on the thread by showing them our findings that they really saw these security events pack a punch. Their reaction was: We had an intuitive feeling it could be bad but now we have substantiated it with numbers.
There was another key moment. We had a skeptic to the whole process who said that quantifying cyber risk could not be done, and we proved that it could. That was the legal counsel. And that’s no surprise because lawyers don’t like putting ceilings on the cost of anything!
Here’s how the analyses worked out for one security solution vs. the other.
Option 1, deploying a proxy solution for their remote workforce, delivered an average $2.8 million risk reduction for a $150,000 investment.
Option 2, deploying a zero-day defense, delivered a $1.8 million risk reduction for a $1.2 million investment.
So Option 1 was the clear winner, and that was an ‘aha!’ moment there. They gave an immediate yes to the purchase decision. They said ‘You’re including all the data points that are critical. We’ve never seen that before and we’re going to start expecting that every time.’
What’s impressive here, and that’s true in most of our engagements, is that going through the exercise of using the FAIR model in the RiskLens application puts a structure to the work and causes companies to think about things they’ve never thought about before. They answer questions they never asked before and leverage data they had but didn’t know how to use.
And that’s the biggest ‘aha!’ moment.