The importance of managing cybersecurity risk
Because organizations are so reliant on computing processes to run their business, the need to manage the associated risks has become critical. Several trends are driving the transition from technical, compliance-based approaches to cybersecurity to business-aligned, risk-based ones:
As a result of this, boards of directors and executive management teams must now understand the cyber risk posture of their businesses and the business underpinnings of risk mitigation initiatives.
When it comes to defining risk, confusion reigns supreme
Despite the importance of the task, many organizations are building cyber risk management programs on a very shaky foundation, as they do not have a clear understanding of what they are assessing and managing. Our customer engagements, even with some of the world’s largest companies, reveal that most often there is no common method in place to define, analyze, and manage cybersecurity risk. Evidence of that presents itself in multiple forms:
The cybersecurity industry may be doing more harm than good. Many vendors spice up their marketing message and attempt to make themselves relevant at the business level by touting themselves as a risk management solution and implicitly or explicitly pushing for definitions of risk that help their cause.
However, there are great products out there that can help reduce risk by the increased visibility they provide. What’s missing in these tools though, is the risk context; i.e., any meaningful measurement of significance on a finding by finding basis. As a result, users and decision-makers are left to their own devices to interpret the information. Or, too often, these tools inaccurately represent their findings as risk.
What is risk
In order to bring some sanity to the discussion, let’s start with a basic definition of risk. The following definition applies regardless of whether you’re talking about investment risk, market risk, credit risk, information risk, or any of the other commonly referenced risk domains. Risk = the probable frequency and probable magnitude of future loss.
In other words, how often something bad is likely to happen, and how much loss is likely to result. In the cybersecurity arena, these probabilities are derived from the combination of threat, vulnerability, and asset characteristics.
Having established this basic definition of risk, a few key questions have to be answered in order to consistently and effectively manage cybersecurity risk:
Assessing risk in financial terms
The emergence in the last few years of a risk standard such as Factor Analysis of Information Risk (FAIR), and of FAIR-based cyber risk quantification solutions such as RiskLens, have helped organizations answer these questions consistently as well as articulate cybersecurity risk in non-technical terms (i.e. dollars and cents), a language that all stakeholders understand.