Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/7/2019
02:00 PM
Andrew Morrison
Andrew Morrison
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

To Prove Cybersecurity's Worth, Create a Cyber Balance Sheet

How tying and measuring security investments to business impacts can elevate executives' understanding and commitment to cyber-risk reduction.

The definition of success and the accurate measurement of the indicators of that success are business imperatives. In some fields, they are easily recognized and fairly simple to measure — for example, measuring sales volumes, return on investment (ROI), or customer satisfaction survey results.

However, in fields such as preventive medicine or aviation safety — where success is measured by diseases avoided or disasters averted — executives face the challenge of proving a negative to determine success. Cybersecurity is a prime example of this, with security teams struggling to succinctly demonstrate the ROI from not getting hacked last month or from not losing valuable customer data from the breach that never happened.

Proving the "crisis averted" makes it hard to demonstrate value in a way that traditional corporate executives can understand. However, given how organizations are prioritizing a number of digital transformation initiatives to increase efficiencies and simplify environments in both scope and proximity to core business operations, the mandate for doing so is increasingly urgent. The way to drive the value proposition of cyber beyond just the walls of the IT office and onto the value assurance and risk management agendas of top organizational leaders is by framing the data into a format they can quickly process. CISOs can do this by tying security investments to business impacts through a cyber balance sheet.

The resulting impact of a cyber incident can be widespread and long lasting. Therefore, investments in cyber-risk solutions should be substantiated and correlated to these business impacts. And, the cost estimation of these impacts should evolve to meet today's reality. Historical calculations (such as server downtime) and recovery time objectives are no longer enough.

Executives need to be able to consume the complexities of cyber-risk in business terms and receive repeatable, meaningful metrics upon which to base risk decisions. Often, the information being provided by CISOs and security teams to update management on their cyber exposure is highly complex and generated in a technical lexicon. This thwarts the ability of management to truly understand much less calculate value regarding cyber-risk, and ultimately puts them at a disadvantage regarding their ability to effectively prioritize, govern, and execute on cyber programs that can have operational, financial, and reputational impacts.

Let's dig into the proposed cyber balance sheet. Balance sheets, and financial statements in general, exist to provide a broad view of the financial performance of an entity. They are based on a standard framework that takes vast amounts of data from many different sources and systems and consolidates that information down to a cohesive view of financial performance that is easily understood by those who consume it. The demands of cyber-risk reporting are analogous; large amounts of technical risk data need to be consumed from many systems and synthesized down to easily understandable, meaningful business risk terms to allow a variety of stakeholders to make decisions.

Using financial modeling, companies can adopt approaches for estimating both the direct and hidden intangible costs associated with cyber-risk and express those risks in traditional financial terms. These models should be based on industry-accepted frameworks (e.g., FAIR, NIST, etc.). A cyber balance sheet incorporates these financial models and related tools to gauge the impact differential between, say, two hours of downtime for an online merchant website versus two hours of downtown for a complex manufacturing line. While the former could mean lost customer data, the latter could cause a vast ripple effect on production and even shut down your just-in-time global supply chain because expensive infrastructure was sabotaged and destroyed.

Organizational Steps Toward More Cyber Visibility and Investment
Against this backdrop, cyber-risk should be structured and measured beyond mere threats, vulnerabilities, and probability — and into the realm of fully assessing the nature and severity of risks; the "materiality" of threats for prioritizing remediation; and the decision support for both tactical judgments and larger strategic business decisions that affect the whole company.

Here are two examples that showcase the value of security in ways that executives understand and care about.

Demonstrating how a needed software or workflow improvement will solve not just an immediate security problem in one department but also solve everyone's problem in numerous departments if the approach is adopted organizationwide would likely be well received and offer a more federated approach to governance.

A government agency CIO could show how new FedRAMP security templates to inherit data from trusted multitenant cloud-based identity access management platforms cannot just plug security holes and reduce reporting violations but also boot efficiencies by reducing redundant compliance validation on applicants that use such services.

If leadership views the CISOs and their teams as more operational and focused only on technology or information risks, the cyber team could be treated as less of a strategic asset and will become more of a strategic adviser. Ultimately, tying security investments to business impacts, and measuring those effects with a cyber balance sheet approach will help elevate cyber-risk understanding and commitment for executives and boards.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Andrew Morrison is a principal in Deloitte & Touche LLP's Cyber Risk Services practice and specializes in assisting clients with the risk associated with cyber threats. Andrew currently serves as the US leader of Deloitte's Cyber Strategy, Defense, and Response practice. In ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
CVE-2019-12421
PUBLISHED: 2019-11-19
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to m...
CVE-2019-19126
PUBLISHED: 2019-11-19
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR ...