Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/7/2019
02:00 PM
Andrew Morrison
Andrew Morrison
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

To Prove Cybersecurity's Worth, Create a Cyber Balance Sheet

How tying and measuring security investments to business impacts can elevate executives' understanding and commitment to cyber-risk reduction.

The definition of success and the accurate measurement of the indicators of that success are business imperatives. In some fields, they are easily recognized and fairly simple to measure — for example, measuring sales volumes, return on investment (ROI), or customer satisfaction survey results.

However, in fields such as preventive medicine or aviation safety — where success is measured by diseases avoided or disasters averted — executives face the challenge of proving a negative to determine success. Cybersecurity is a prime example of this, with security teams struggling to succinctly demonstrate the ROI from not getting hacked last month or from not losing valuable customer data from the breach that never happened.

Proving the "crisis averted" makes it hard to demonstrate value in a way that traditional corporate executives can understand. However, given how organizations are prioritizing a number of digital transformation initiatives to increase efficiencies and simplify environments in both scope and proximity to core business operations, the mandate for doing so is increasingly urgent. The way to drive the value proposition of cyber beyond just the walls of the IT office and onto the value assurance and risk management agendas of top organizational leaders is by framing the data into a format they can quickly process. CISOs can do this by tying security investments to business impacts through a cyber balance sheet.

The resulting impact of a cyber incident can be widespread and long lasting. Therefore, investments in cyber-risk solutions should be substantiated and correlated to these business impacts. And, the cost estimation of these impacts should evolve to meet today's reality. Historical calculations (such as server downtime) and recovery time objectives are no longer enough.

Executives need to be able to consume the complexities of cyber-risk in business terms and receive repeatable, meaningful metrics upon which to base risk decisions. Often, the information being provided by CISOs and security teams to update management on their cyber exposure is highly complex and generated in a technical lexicon. This thwarts the ability of management to truly understand much less calculate value regarding cyber-risk, and ultimately puts them at a disadvantage regarding their ability to effectively prioritize, govern, and execute on cyber programs that can have operational, financial, and reputational impacts.

Let's dig into the proposed cyber balance sheet. Balance sheets, and financial statements in general, exist to provide a broad view of the financial performance of an entity. They are based on a standard framework that takes vast amounts of data from many different sources and systems and consolidates that information down to a cohesive view of financial performance that is easily understood by those who consume it. The demands of cyber-risk reporting are analogous; large amounts of technical risk data need to be consumed from many systems and synthesized down to easily understandable, meaningful business risk terms to allow a variety of stakeholders to make decisions.

Using financial modeling, companies can adopt approaches for estimating both the direct and hidden intangible costs associated with cyber-risk and express those risks in traditional financial terms. These models should be based on industry-accepted frameworks (e.g., FAIR, NIST, etc.). A cyber balance sheet incorporates these financial models and related tools to gauge the impact differential between, say, two hours of downtime for an online merchant website versus two hours of downtown for a complex manufacturing line. While the former could mean lost customer data, the latter could cause a vast ripple effect on production and even shut down your just-in-time global supply chain because expensive infrastructure was sabotaged and destroyed.

Organizational Steps Toward More Cyber Visibility and Investment
Against this backdrop, cyber-risk should be structured and measured beyond mere threats, vulnerabilities, and probability — and into the realm of fully assessing the nature and severity of risks; the "materiality" of threats for prioritizing remediation; and the decision support for both tactical judgments and larger strategic business decisions that affect the whole company.

Here are two examples that showcase the value of security in ways that executives understand and care about.

Demonstrating how a needed software or workflow improvement will solve not just an immediate security problem in one department but also solve everyone's problem in numerous departments if the approach is adopted organizationwide would likely be well received and offer a more federated approach to governance.

A government agency CIO could show how new FedRAMP security templates to inherit data from trusted multitenant cloud-based identity access management platforms cannot just plug security holes and reduce reporting violations but also boot efficiencies by reducing redundant compliance validation on applicants that use such services.

If leadership views the CISOs and their teams as more operational and focused only on technology or information risks, the cyber team could be treated as less of a strategic asset and will become more of a strategic adviser. Ultimately, tying security investments to business impacts, and measuring those effects with a cyber balance sheet approach will help elevate cyber-risk understanding and commitment for executives and boards.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Andrew Morrison is a principal in Deloitte & Touche LLP's Cyber Risk Services practice and specializes in assisting clients with the risk associated with cyber threats. Andrew currently serves as the US leader of Deloitte's Cyber Strategy, Defense, and Response practice. In ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.