Some pretty dismal results of a survey by PwC show that many CISOs have a serious credibility gap on infosecurity budgeting. More than half of the senior business executives surveyed said they lack confidence that spending on cyber is:
- Linked to overall enterprise or business unit budgets in a strategic, risk-aligned, and data-driven way
- Allocated towards the most significant risks to the organization
- Focused on remediation, risk mitigation, and/or response techniques that will provide the best return on cyber spending
“With confidence lagging in the process used to fund cybersecurity, executives say it’s time for an overhaul,” the survey concludes — and now more than ever in a year when budgets are being closely questioned as organizations pivot spending to adjust to new economic realities brought on by the pandemic and the forces of digital transformation.
What’s the problem? Too many CISOs can’t speak to the business about cyber risk in the financial terms the business demands from other operations leaders: justifying spending on a return-on-investment (ROI) basis.
Instead, they may fall back on benchmarking budget against industry standards – but as respected security blogger Phil Venables writes, benchmarks are misleading because:
“Your risk is not my risk
“Your business is not my business
“Your threat outlook is not mine
“Just because you and I spend roughly the same doesn’t mean we will get the same result, I might have different people, different issues, different established infrastructure and so on.”
Other CISOs may do what RiskLens co-founder Steve Tabacek describes as “spreading their budget across their domain like peanut butter spread evenly on a piece of bread” to ensure every area gets some coverage. “But that doesn’t meet the efficiency test. The depth of coverage for each one of these areas should be aligned to a formalized risk management approach.”
FAIR™ Cyber Risk Analysis on the RiskLens Platform: Better and Faster Budget Guidance
Factor Analysis of Information Risk (FAIR) is the international standard for quantitative cyber risk management; the RiskLens platform powers FAIR cyber risk analysis. With FAIR and RiskLens, CISOs can make spending prioritization and budget decisions based on a financial understanding of cyber risk–and get the data they need to support those decisions, faster and easier than ever before.
That applies to the typical budget categories for IT security spending:
- Regulatory/audit compliance: Determine the most cost-effective controls for risk reduction
- Maintenance of existing systems: See the true costs of legacy controls, based on cost-benefit analysis
- New initiatives: Measure the effect on loss exposure of a wider attack surface for new digital products, then compare alternate risk treatments or process changes to mitigate.
A RiskLens Risk Treatment Analysis report
Here’s how RiskLens makes it easier and faster:
- Rapid Risk Assessments make it possible to analyze and prioritize risks in minutes vs. hours or days. Using a guided workflow that simplifies FAIR analysis, your team can quickly scope, analyze and prioritize risks. You then customize the reporting by the criteria most useful to your decision-making process: highest probable loss, most likely to exceed risk appetite, etc., to understand what risks matter most.
- Instead of time-consuming data collection, the platform also leverages pre-populated loss tables and data helpers that combine industry and organization-specific data on, for instance, probable event frequency and losses. Based on that data…
- The platform’s Rapid Risk Assessment capability generates in minutes a prioritized list of your risks by severity. You customize the list by the criteria most useful to your decision-making process: highest probable loss, most likely to exceed risk appetite, etc.
- Next, run a few of the highest priority risks through a more detailed analysis on the platform for a closer look at just which factors (high frequency? big impacts?) are pushing these loss events to the top with a view to identifying the controls, process changes or other risk treatments that would best mitigate.
- Time to run Risk Treatment Analysis, the platform’s powerful capability to compare risk treatments for their relative effect on risk reduction: See how much risk in dollars you buy down with every dollar invested in one control vs. others.
Factor in the cost of each risk treatment and you have a complete set of cost-benefit analyses that can be fine-tuned for your organization’s decision criteria, for instance, best return on investment for risk reduction, most risk reduction, treat or accept a risk based on risk appetite, and more. In other words, clear direction to make truly informed decisions on optimizing a cybersecurity budget – all at the speed that business demands.