Risk. According to Merriam-Webster, the word has several meanings. First is "possibility of loss or injury: PERIL." A little down the list comes, "the chance of loss or the perils to the subject matter of an insurance contract, also: the degree of probability of such loss." Now, from a business perspective, we're getting somewhere.
The cybersecurity world is accustomed to talking about risk in colorful terms. "Code red," "condition yellow," and the like have long been used to discuss the immediate risk environment.
But as cybersecurity has become an issue for business executives as much as technology managers, the language has changed and risk has shifted to a quantitative conversation.
A Sign of Maturity
Brian Riley, senior director of global cyber-risk management at Liberty Mutual, says, "Putting numbers or metrics around risk allows you to have a different level of conversation about what that means." He explains that the differences not only allow the conversations to take place with different business groups, but are indicative of a growing maturity in the field of cyber risk.
One sign of cybersecurity maturity is adoption of a common language and analytical framework to describe risk in terms other lines of business understand.
There are a number of organizations that have developed such tools. For example, the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) have created sweeping, comprehensive standards. And a tool like the Factor Analysis of Information Risk (FAIR) is a practical framework that helps organizations uphold those standards - specifically the ones that relate to cyber-risk.
Frameworks Make the Team Work
Ian Amit, CSO of Cimpress, says his organization is using FAIR as the basis for broader risk discussions. "We are using FAIR not only as part of our security organization, but we also started introducing that into our overall enterprise risk management group," he explains.
The FAIR model builds its framework on a series of definitions, beginning with assets and continuing to risks, which are broadly defined as the probability that a loss will occur to an asset. Various kinds of loss, such as productivity, replacement, and reputation, are defined as the types of threats that can lead to those losses. The threats are then placed into a multidimensional context of severity and likelihood, all expressed in numbers rather than descriptive terms.
While Liberty Mutual's Riley makes extensive use of FAIR in his work, it's not the only tool he brings to the job.
"The work that Mitre has done with their ATT&CK framework of the adversarial tools, tactics, and common knowledge create a taxonomy that allows an organization to think about specific attack tactics and the security controls that can be applied to those tactics in a repeatable way," he says. The consistent repeatability is something professionals see as critical for not only addressing risk within cybersecurity, but for talking about risk within the larger context of the business.
"I think [FAIR] helps you put the cyber-risk on the same level as other elements of risk that we're addressing at the enterprise level," Amit says. "So if I'm looking at financial risk, operational risk, a competitive landscape, these are all at the end of the day quantified to a degree with some sort of a range that revolves around the specific threat."
He goes on: "Here's a scenario. Here's our exposure. Here's the risk associated with that." And expressing that risk in a quantified way that other professionals within the business can understand means that the risk can be addressed by the entire organization.
Steve Durbin, managing director of the Information Security Forum, says the common understanding within the organization is critical. "The challenge for security is to be able to translate security metrics into a form of reporting that is relevant and understandable to a senior audience and aligns with and supports the assessment of business performance and ultimately business risk," he says.
That assessment will, at some level, need to be expressed in the dollars and cents terms that are the core of executive discussion.
"For board-level metrics, analytics data must often be combined with some sort of cost-benefit analysis," says Heather Paunet, vice-president of product management at Untangle.
Amit agrees, giving an example of the discussion a CISO can have with the executive board: "Here's why I'm trying to reduce this certain scenario's risk from $2 million to $8 hundred thousand. So I've got a $1.2 million risk reduction. And in order to perform that activity, I'm asking for investment in the magnitude of $200,000. So $200,000 for $1.2 million. Now you're starting to make sense as far as my return on investment."
And boards of directors are increasingly interested in having CISOs and risk managers make sense in board meetings. "It would be a very foolish board indeed today that said it had no interest in understanding the company's security posture and what steps were being taken to protect its critical assets," says Durbin.
Fortunately for both boards and the professionals charged with providing information, "the industry is gradually maturing in space to have more quantifiable metrics around what risks look like across most frameworks," according to Riley.
The point, ultimately, is what cybersecurity professionals can do about the risks they see. "It's our job to figure out what portion of a loss scenario, what portion of the risk element that we're measuring do we have control of in that loss scenario," Amit says. "What is it that you have control over that can change the outcome of a particular scenario?"