The Art of Calculating the Cost of Risk

In 409 A.D., when Flavius Honorius, the ruler of Rome, saw the invading hordes of Visigoths, he must have wondered whether he should have invested more gold into his perimeter defenses. History tells us that such an investment would have been appropriate, but perhaps Honorius' risk analysis never took into consideration the size and scope of a politically sponsored attack.

Centuries later, political and corporate leaders still face similar questions. Do we invest further in physical and digital security to protect our assets? Are our endpoints secure from malware and breaches? If attackers successfully enter the network, do we have the tools to defend it without compromising resources and data?

A key consideration today is whether enterprises should invest in proactive defenses to identify, detect, and protect the network, or whether they should focus on a reactive approach, responding and recovering from a cybersecurity event should one occur. These approaches are components of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which "integrates industry standards and best practices to help organizations manage their cybersecurity risks," according to the NIST website.

"Being proactive doesn't necessarily mean startups need heavy investments in technology," says John Hellickson, field CISO at Coalfire. "Instead, one could ensure the foundational elements, setting reasonable security policies and standards, implementing security from the start when standing up new IT infrastructure, and following secure coding guidelines when it comes to building applications is executed early on.

"As organizations grow, [they] should implement more comprehensive information security program elements, proactively assessing risks to mitigate those outside of the risk tolerance before likely threats are realized. Since every organization is unique, finding the right amount of investment is more of an art than science."

Enterprises have considerable motivations to be proactive at cybersecurity. Earlier this year, US Securities and Exchange Commission (SEC) Chairman Gary Gensler proposed several new rules that would put increased responsibility on C-suites and boards of directors to defend against data breaches. While the rules have yet to be ratified, some organizations already are implementing the proposed rules, including adding cybersecurity experts to corporate boards. To date, Gensler has proposed nearly 50 new rules.

Cyber Insurance Influences Risk Assessment

Another motivation is obtaining cyber insurance. Without appropriate security controls in place, enterprises can find it difficult to engage a broker or carrier that would risk writing a policy. Even if the policy is written, the prospect still needs to get underwriters' approval before the carrier binds the policy.

Robert Rosenzweig, national cyber risk practice leader and commercial New York metro regional leader at cyber insurance broker Risk Strategies, says his firm recommends that its clients manage risk appropriately to secure more comprehensive and competitive coverage, but it does not require clients to employ cybersecurity controls. Ultimately, he notes, it is the carrier's decision whether to approve the insurance application.

"We do have some information published about some of the top five to 10 controls that we have found to be most important when reducing the probability or cost and complexity of an incident, and also controls that carriers are most focused on when doing their underwriting analysis," he says.

However, Rosenzweig encourages organizations to invest in cybersecurity controls. 

"I think underwriters look favorably upon that. It's just another indicator that a prospective policyholder is investing in having the right culture of security and compliance," he says.

Risk Goes Beyond Cybersecurity

Potential fines for failing to properly contain risk could end up costing far more than the risk you were trying to mitigate, and it is not always a cybersecurity matter, says Joseph Williams, partner of cybersecurity at Infosys Consulting. He cites Burlington Northern Santa Fe Railway, which "just got hammered by the Illinois legislators for violating [the state's new] biometric [law]," as an example. The company must pay $228 million to some 45,000 truck drivers after a jury found the company collected the drivers' fingerprints without consent. This was the first court judgment related to the new Illinois Biometric Privacy Act.

"How would you have predicted that kind of vulnerability?" he asks, rhetorically. "This is my mantra: If you're not factoring, if you don't identify the risk, then you don't factor in that risk to the cost of the project. There's no way that biometric project was going to create $228 million in value, so somebody didn't calculate what that exposure would be. That wasn't cybersecurity; that was regulatory compliance."

Erika Andresen, a business continuity expert and founder of EaaS Consulting, as well as a longtime US Army lawyer, says she believes cybersecurity should be managed through regulatory oversight. 

"I would like to say it should be driven by regulation," she says. "But the problem is, you're going to have to pass that regulation through a series of senators and congressmen who have shares of companies that want to make money. And their interest is not to regulate those companies."

Andresen offers up that the SEC's Gensler has put forth proposed rules, but they have yet to be ratified. "They're supposed to be coming out, but they're going to be tied up," she says.