Boards: 5 Things about Cyber Risk Your CISO Isn't Telling You (without Risk Quantification)

August 16, 2019  Jeff B. Copeland

As Jack Jones tells the story, he started down the road to creating the FAIR model for cyber risk quantification because of “two questions and two lame answers.” As CISO at Nationwide insurance, he presented his pitch for cybersecurity investment and was asked:

  • How much risk do we have?
  • How much less risk will we have if we spend the millions of dollars you’re asking for?

To which Jack could only answer “Lots” and “Less.”

“If he had asked me to talk more about the ‘vulnerabilities’ we had or the threats we faced, I could have talked all day,” he recalled in the FAIR book, Measuring and Managing Information Risk.

In that moment of embarrassment, Jack saw the need for a way that cybersecurity teams could communicate risk to senior executives and boards of directors in the language of business, dollars and cents.

Some CISOs are still in the position of Jack pre-quantification – talking all day and delivering lame answers, from the board’s point of view.  Here’s a short guide to what they’re not saying.

1. I don’t really know what our top risks are

I can ask a group of subject matter experts in the company to vote on a top risks list based on their opinions, but that’s as close as I can get. 

The most-requested first risk analysis from RiskLens customers is identifying the organization’s top five or more risks. This bread-and-butter FAIR analysis clarifies the probable loss exposure in financial terms of a set of scenarios (such as, “employee accidentally emails to third party a database of customer personal information, resulting in loss of confidentiality). Clients can then compare analyses to find the scenarios generating the most loss exposure. 

2. I can’t give you an ROI on the money you give me to invest in cybersecurity

You see, cybersecurity is different from other programs you’re asked to invest in – it’s constantly changing and never-ending. You never really hit a point of success, you just chip away at the problem.  

Again, return-on-investment analysis is a standard output of the RiskLens Platform, taking the current state of loss exposure on a scenario – such as one of the organization’s Top Five – and running what-if analyses to test, for instance which of two proposed controls would produce the most reduction in loss exposure, based on the company’s previous experience with those controls. Powered by a Monte Carlo analysis enginethe platform runs thousands of simulations to produce a range of probable outcomes in dollar amounts displayed as a Loss Exceedance Curve.

3. I can’t really tell you if things are getting better on cyber risk.

I can show you our progress with compliance checklists and maturity scales, and I hope you’ll assume that’s reducing risk.  

CISOs have their pick of many standards and frameworks – NIST CSF, CIS Controls, ISO27005 and more – that are essentially lists of best practices for cybersecurity operations. Security organizations can even give themselves a numeric maturity scale based on how many best practices they’ve checked off the list. While good and useful, these frameworks don’t measure performance outcomes in reducing risk. The FAIR model takes the next step, showing practitioners how to select among best practices to target top risks and deliver the most ROI.

4. I can’t help you set a risk appetite.

I don’t really know how much risk we have and am pretty much operating on the principle that no risk is acceptable.  

Boards should have a strong sense of their appetite for risk in cyber as in all fields, but qualitative (high-medium-low) risk analysis only supports vague appetite statements that are difficult to follow in practice. With FAIR analysis through the RiskLens Platform, boards can judge specific scenarios – for instance, a breach of one million records – for their probable impact in dollar figures and set specific appetites for risk. The goal of good risk management should be, as RiskLens board member and enterprise risk management (ERM) authority James Lam has written, “not minimizing or avoiding risks but optimizing risk/return trade-offs”.

5. I don’t know how to align cyber risk management with the other forms of risk management we do.

Enterprise risk, operational risk, market risk, financial risk—I’ve heard their board presentations in quantitative terms. But cyber is just different.  

As James Lam says, “The two major gaps in cybersecurity programs today are one, the lack of risk quantification and two, the lack of integration into an overall ERM program. The history of ERM indicates that managing risk by silos doesn’t work because risks are dynamic, they have critical interdependencies, and they need to be aggregated at the enterprise level.” Lam advises that boards should demand that cyber risk be considered on a par with other risks the organization manages. FAIR makes that possible by expressing cyber risk in the same financial terms that the rest of enterprise risk management programs operate on. FAIR is compatible with the widely used COSO ERM Integrated Framework for enterprise risk management.