Feeling like a hostage of security
"They are grossly overstating risk and that is leading our organization to make decisions that are always aligned to the worst possible case. They are not dealing with real-world assumptions and that is hurting our business."
He then explained how risk estimates in his company are calculated based on the worst possible outcome. Their implied risk formula is (max. impact of loss event) x (100%). No consideration is given to the actual probability of a loss event on an annual basis. The effect of that is that decisions in his organization are being made based on estimates of risk that greatly exceed reality.
"We are probably vastly overspending in security and slowing the pace of business."
Finding the right risk balance
"We are looking for ways to balance the need to protect our organization with running our business. We feel that if we had the means to quantify the actual cybersecurity risk in a more realistic way, using probability of outcomes and getting to dollar figures we believe in, that would allow us to make more informed and cost-effective decisions."
I replied that our profession had experienced rapid advances in the last couple years. The emergence of standard risk models, such as FAIR, that take into account all the factors of risk, along with the use of proven mathematical simulations contained in solutions such as RiskLens, have been helping organizations to quantify risk as a distribution of probabilities that represent the entire spectrum of possible outcomes (see example below).
With that data at hand, companies can now decide if they want to make business decisions based on most likely outcomes or if they want to take a more conservative, risk-averse approach by basing their decisions on a higher percentile.
Security and compliance shouldn't feel that the business is disregarding their security recommendations, and the business shouldn't feel that security is holding them hostage. Instead, the business opportunity seized by the business along with the level of risk that the organization is willing to sign off on, should be the result of explicit and well-informed business decisions.
Consequences on risk governance
We continued discussing the impact that such an improved decision-making process can have from a governance perspective.
We ended up agreeing that: