Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/24/2019
10:30 AM
Robert Huber
Robert Huber
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Organizations Must Quantify Cyber-Risk in Business Terms

The rising costs of breaches and regulatory fines are driving demand for better measurement and articulation of business impacts.

There's no doubt that cyber incidents are a top concern for business leaders today. Decision-makers around the world view data fraud, data theft, and cyberattacks as among the top five biggest risks they face, according to the World Economic Forum's "Global Risks Report." That's because cyberattacks can have a huge impact on a business — look at the estimated $300 million in costs after the NotPetya malware shut down operations at Maersk and that Verizon paid $350 million less for Yahoo after it suffered two cyberattacks. The average cost of cybercrime to an organization has risen to $13 million, according to a recent Accenture report. For businesses of all sizes and industries, cyber-risk is business risk.

Security leaders who are struggling to get the resources and support they need to protect their environment against cyberattacks often have an uphill battle when it comes to making their case to the CEO and the board. That's because they aren't able to translate cyber-risk into language the business executives can relate to or even quantify the risk. The CFO and heads of every other business unit speak the language of business, but not the security teams. Security leaders need to quantify cyber-risk in business terms; they need to make clear what the impact could be on the organization's value creation — business operations, reputation, and loss exposure in terms of dollars — all of which affect the future of the organization.

This problem is widespread. According to a recent study conducted by Ponemon and Tenable, more than 90% of respondents report experiencing at least one damaging cyberattack over the past two years, and 60% have had two or more. However, less than half of respondents say they measure the costs of cyber-risks, and only 41% attempt to actually quantify the damage. This lack of confidence in the accuracy of their measures means that security leaders aren't sharing critical information with their boards about the business costs of cyber-risk. Indeed, some security leaders report that news headlines and perceived risks, rather than quantifiable ones, are driving some top-down decisions.

Risk Quantification Best Practices
Security leaders can learn from other industries about how to quantify risk in business terms, like financial services, which has been out in front when it comes to managing risk. People don't let banks manage their life savings if they don't understand the risks and guard against losses. Financial services and cybersecurity aren't that dissimilar. Both feature increasingly complex systems and could suffer catastrophic damage in the event of failures that can cascade out into entire industries and geographies.

Cyber-risk varies depending on the type of organization affected and the potential harm. Two examples of cyberattacks that pose significant risk have targeted industries that are critical to the functioning of civil society. In 2015 and 2016, Ukraine's power grid was disrupted by nation-state attacks. Just recently, US officials revealed a much less serious cyberattack in March that briefly affected a grid control center and small power generation sites in California, Utah, and Wyoming. Meanwhile, persistent ransomware attacks over the past few years have forced untold numbers of hospitals and cities in the US and elsewhere to pay cybercriminals in order to get their computers back online. In those examples, the loss of basic utility services and potential harm to human life are key factors in the risk equation. For most businesses, however, the cyber-risk is primarily reputational and financial as a result of: loss of business due to downtime; loss of customers; theft of intellectual property or data; legal, labor, and cleanup costs; and fines due to lack of compliance with regulations.

Reliable, Accurate Metrics
What do top executives and boards need to know to make informed business decisions that affect the organization's security programs? They must discover where in their environment they have exposures using quantifiable metrics, including what data and assets are vulnerable, as well as the location of prior security incidents and how they happened. That information helps them prioritize technology purchases and deployments based on risk. Decision-makers also need to know how security teams are reducing their cyber exposure over time, as well as how they compare with their peers. Security teams must correlate vulnerability data with other risk indicators, such as threat intelligence and asset criticality, in order to automatically score, trend, and benchmark an organization's cyber-risk.

There are a number of forces pushing organizations toward more effective cyber-risk management. The growing number of serious and costly cyberattacks has prompted boards and CEOs to take a more proactive role in understanding cyber threats and exposure. The rising costs of cyberattacks and data breaches and regulatory fines are driving demand for better measurement and articulation of business impacts. Many organizations have not adopted security metrics that reflect the role that cybersecurity plays as a core business enabler for organizations — but they need to. 

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Developers: The Cause of and Solution to Security's Biggest Problems."

Robert Huber is Chief Security Officer at Tenable. He has more than 20 years of information security experience across financial, defense and critical infrastructure sectors. At Tenable, Robert oversees the company's global security teams, working cross-functionally to reduce ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/28/2019 | 5:42:40 PM
CEO
The growing number of serious and costly cyberattacks has prompted boards and CEOs to take a more proactive role in understanding cyber threats and exposure. This is encouraging to hear. If is really time to pay attention what is happening in the organization and where the vulnerabilities are.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/28/2019 | 5:38:41 PM
Re: Quantifying cost
How do you quantify the "possible" cost? I think this is a good question to ask. One way to overcome that is reviewing similar activities and projects completed in the past and forecast the cost for probability of them happening in the future. However I do not have a good answer either unfortunately.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/28/2019 | 5:35:21 PM
Re: Quantifying cost
My issue with most of them at this point is, they are all based off of probabilities. I hear you. We are living in more probabilistic wold than deterministic unfortunately.
Dr.T
100%
0%
Dr.T,
User Rank: Ninja
10/28/2019 | 5:33:25 PM
CFO
The CFO and heads of every other business unit speak the language of business, but not the security teams. This is really a good point to make. CFOs tens to focus on cost-benefits, if CISO can elaborate security in those terms then there is a better chance to be on the same page.
Bob Huber Tenable
50%
50%
Bob Huber Tenable,
User Rank: Author
10/25/2019 | 10:52:24 AM
Re: Quantifying cost
I agree, quantifying cost is cumbersome at best. There are many initiatives in the insurance industry to try and do just that, as well as some "cyber" companies attenpting to address this. There are frameworks that attempt to do this as well. My issue with most of them at this point is, they are all based off of probabilities. If you could tie probablities to quantifiable telemetry that would be ideal. Personally I have been evaluating some of these technologies to quantify the cost, but the jury is still out on their usefulness.
lmasseus
50%
50%
lmasseus,
User Rank: Apprentice
10/25/2019 | 10:12:18 AM
Quantifying cost
The question that needs to be answered is , How do you quantify the "possible" cost?  An article that delves into the details of how you should quantify Cyber-Risk would be more useful.
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15815
PUBLISHED: 2019-11-12
ZyXEL P-1302-T10D v3 devices with firmware version 2.00(ABBX.3) and earlier do not properly enforce access control and could allow an unauthorized user to access certain pages that require admin privileges.
CVE-2019-17360
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.7.0-00 allows an unauthenticated remote user to trigger a denial of service (DoS) condition because of Uncontrolled Resource Consumption.
CVE-2018-21026
PUBLISHED: 2019-11-12
A vulnerability in Hitachi Command Suite 7.x and 8.x before 8.6.5-00 allows an unauthenticated remote user to read internal information.
CVE-2012-1572
PUBLISHED: 2019-11-12
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
CVE-2019-17234
PUBLISHED: 2019-11-12
includes/class-coming-soon-creator.php in the igniteup plugin through 3.4 for WordPress allows unauthenticated arbitrary file deletion.