In a new article for the Wall Street Journal's WSJ Pro Cybersecurity newsletter, Kim S. Nash writes that “Corporate security leaders often fight a perception among other senior leaders that cybersecurity efforts bring costs without quantifiable returns.
“Linking cybersecurity to the financial health of a company can help convince boards and chief executives to greenlight investment in new security projects.”
Read: “Security Leaders Show Business Benefits of Cyber Spending” in WSJ Pro Cybersecurity (subscription required)
As an example, Nash quotes Guillermo Guerra, CISO at Prudential PLC, as saying he’d like to be able to make a case to the board that new voice recognition authentication technology pays off in improved call-center efficiency, not just security.
For their part, boards would like to see how CISOs “prioritize different elements of risk to help get a handle on how, where and how quickly they may need to spend money to shore things up,” Angela Brock-Kyle, chief executive of B.O.A.R.D.S., a governance consultancy, tells The Journal.
Nash quotes Guerra talking about a pitfall in presenting non-financial security metrics to boards: “The moment you start putting in new tools and detection capabilities, suddenly you have to explain to the board why you’re seeing more incidents and alerts. Well, before we just weren’t seeing it -- it’s a good thing we’re seeing it now.”
The FAIR model for quantitative risk analysis, the engine behind the RiskLens cyber analytics application, was purposely built to solve just these sorts of board-CISO communication gaps. FAIR analysis breaks down cyber risk in to a range of probable losses in financial terms that enable decision makers to clearly see the potential return on security investments. Contact us to learn more.
Read more coverage by the Wall Street Journal of the growing movement behind FAIR and cyber risk quantification in these blog posts:
"If CISOs push back on quantifying potential loss, I find that unacceptable as a director.” CISOS “need to advance,” James tells the Journal.
The Journal profiles the FAIR implementation at Charles Schwab Corp., quoting one executive saying “The key value that FAIR provides is a consistent way to communicate these risks and what we should be doing about them as a firm."