Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/7/2019
02:00 PM
Andrew Morrison
Andrew Morrison
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

To Prove Cybersecurity's Worth, Create a Cyber Balance Sheet

How tying and measuring security investments to business impacts can elevate executives' understanding and commitment to cyber-risk reduction.

The definition of success and the accurate measurement of the indicators of that success are business imperatives. In some fields, they are easily recognized and fairly simple to measure — for example, measuring sales volumes, return on investment (ROI), or customer satisfaction survey results.

However, in fields such as preventive medicine or aviation safety — where success is measured by diseases avoided or disasters averted — executives face the challenge of proving a negative to determine success. Cybersecurity is a prime example of this, with security teams struggling to succinctly demonstrate the ROI from not getting hacked last month or from not losing valuable customer data from the breach that never happened.

Proving the "crisis averted" makes it hard to demonstrate value in a way that traditional corporate executives can understand. However, given how organizations are prioritizing a number of digital transformation initiatives to increase efficiencies and simplify environments in both scope and proximity to core business operations, the mandate for doing so is increasingly urgent. The way to drive the value proposition of cyber beyond just the walls of the IT office and onto the value assurance and risk management agendas of top organizational leaders is by framing the data into a format they can quickly process. CISOs can do this by tying security investments to business impacts through a cyber balance sheet.

The resulting impact of a cyber incident can be widespread and long lasting. Therefore, investments in cyber-risk solutions should be substantiated and correlated to these business impacts. And, the cost estimation of these impacts should evolve to meet today's reality. Historical calculations (such as server downtime) and recovery time objectives are no longer enough.

Executives need to be able to consume the complexities of cyber-risk in business terms and receive repeatable, meaningful metrics upon which to base risk decisions. Often, the information being provided by CISOs and security teams to update management on their cyber exposure is highly complex and generated in a technical lexicon. This thwarts the ability of management to truly understand much less calculate value regarding cyber-risk, and ultimately puts them at a disadvantage regarding their ability to effectively prioritize, govern, and execute on cyber programs that can have operational, financial, and reputational impacts.

Let's dig into the proposed cyber balance sheet. Balance sheets, and financial statements in general, exist to provide a broad view of the financial performance of an entity. They are based on a standard framework that takes vast amounts of data from many different sources and systems and consolidates that information down to a cohesive view of financial performance that is easily understood by those who consume it. The demands of cyber-risk reporting are analogous; large amounts of technical risk data need to be consumed from many systems and synthesized down to easily understandable, meaningful business risk terms to allow a variety of stakeholders to make decisions.

Using financial modeling, companies can adopt approaches for estimating both the direct and hidden intangible costs associated with cyber-risk and express those risks in traditional financial terms. These models should be based on industry-accepted frameworks (e.g., FAIR, NIST, etc.). A cyber balance sheet incorporates these financial models and related tools to gauge the impact differential between, say, two hours of downtime for an online merchant website versus two hours of downtown for a complex manufacturing line. While the former could mean lost customer data, the latter could cause a vast ripple effect on production and even shut down your just-in-time global supply chain because expensive infrastructure was sabotaged and destroyed.

Organizational Steps Toward More Cyber Visibility and Investment
Against this backdrop, cyber-risk should be structured and measured beyond mere threats, vulnerabilities, and probability — and into the realm of fully assessing the nature and severity of risks; the "materiality" of threats for prioritizing remediation; and the decision support for both tactical judgments and larger strategic business decisions that affect the whole company.

Here are two examples that showcase the value of security in ways that executives understand and care about.

Demonstrating how a needed software or workflow improvement will solve not just an immediate security problem in one department but also solve everyone's problem in numerous departments if the approach is adopted organizationwide would likely be well received and offer a more federated approach to governance.

A government agency CIO could show how new FedRAMP security templates to inherit data from trusted multitenant cloud-based identity access management platforms cannot just plug security holes and reduce reporting violations but also boot efficiencies by reducing redundant compliance validation on applicants that use such services.

If leadership views the CISOs and their teams as more operational and focused only on technology or information risks, the cyber team could be treated as less of a strategic asset and will become more of a strategic adviser. Ultimately, tying security investments to business impacts, and measuring those effects with a cyber balance sheet approach will help elevate cyber-risk understanding and commitment for executives and boards.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Andrew Morrison is a principal in Deloitte & Touche LLP's Cyber Risk Services practice and specializes in assisting clients with the risk associated with cyber threats. Andrew currently serves as the US leader of Deloitte's Cyber Strategy, Defense, and Response practice. In ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27221
PUBLISHED: 2021-01-21
In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
CVE-2021-1067
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
CVE-2021-1068
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVDEC component, in which an attacker can read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or escalation of privileges.
CVE-2021-1069
PUBLISHED: 2021-01-20
NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVHost function, which may lead to abnormal reboot due to a null pointer reference, causing data loss.
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...