I
t’s an old story: In a world of constantly evolving cyber threats and vulnerabilities, no one can promise perfect security. A CISO can’t change the world – but can change the story with a risk-based approach to security.
Quantifiable risk analysis using the FAIR model shifts the narrative from perfect security, in other words, from defending everywhere, to defending key assets against top risks, as defined in terms of probable frequency and probable size of losses from cyber events.
So, risk quantification puts a CISO in position to make some specific commitments to the organization, up to and including the board of directors, in the business terms everyone can understand. At the board level, for instance, a CISO can promise to address these board-centric concerns:
1. You’re not technical people. I’m not going to talk to you in technical terms.
No more techno-babble about patching counts or maturity scores. Cyber risk quantification puts the discussion in the same level as enterprise risk management that boards are used to hearing about, for instance, credit risk, financial risk or market risk – a range of probable outcomes expressed in money terms.
2. You want a general picture of how safe the organization is. I can tell you our top risks, and how they trend over time.
An analysis of an organization’s top 5 or top 10 risks is a standard starting point for adoption of FAIR practices. Essentially, it’s a process of identifying top assets and likely cyber event scenarios across the C-I-A triad (Confidentiality-Integrity-Availability), gathering event frequency and cost data from within and without the organization, and running a Monte Carlo simulation to generate a range of probable loss outcomes. With that in hand, analysts can develop a list of FAIR key risk indicators and track their change over time.
3. You want to know if management is investing in cybersecurity wisely. I can talk to you about return on investment.
With cyber risk quantification, CISOs can reliably run scenarios showing the effect in loss reduction of applying various controls, balanced against the cost of implementing controls – cybersecurity ROI. To further clarify that the right decisions are being made, the analysis can plot risk appetite against the results.
4. You’re charged with protecting shareholder value. I can talk to you as meaningfully as possible about reputation risks.
While no one can promise the business won’t suffer a catastrophic hit to reputation (and share price or credit-worthiness) a la Equifax, the top risks analysis points out the biggest points of vulnerability in terms of financial impact (including government fines and court judgements) and warns management where to deploy the heaviest defenses.
5. You’re increasingly liable for regulatory violations. I can help create the most effective risk disclosure for the regulators.
For public companies and financial companies, the SEC and New York Department of Financial Services have made it perfectly clear that boards will be held responsible for inadequate disclosure of cyber risks that could lead to material impact. Just take a look at the SEC cyber risk disclosure requirements – frequency of cyber events, probability and magnitude of incidents, adequacy of controls, etc. – they read like the outputs of a FAIR analysis.
The RiskLens Cyber Risk Quantification (CRQ) platform is purpose-built on FAIR, the international standard for cyber and technology risk analysis. The Wall St. Journal recently reported that FAIR is “gaining traction”among major companies – in fact, more than 30% of Fortune 1,000 companies use FAIR, to judge by the membership in the non-profit FAIR Institute.