Quantitative measurements - likelihood of loss, hard-dollar financial impact -- are what executives and directors need to make more informed decisions about security risks.
You wouldn't set foot in Sweden and start speaking Swahili… so why would you use the language of bits and bytes in a boardroom full of executives to discuss cyber risk?
Like anywhere, CISOs and security professionals have to learn (and master) the language. And where risk is concerned, just presenting directors with a qualitative tool like a heat map to depict the organization's current cyber risk isn't going to cut it anymore. The nature of digital business, not to mention unrelenting headlines of hacks, ransomware, and phishing incidents has sensitized executives beyond the security basics of malware and firewalls.
"It used to be, 'Tell us how bad it is,' but now it's more a case of 'We're giving you money… we need to know what we're getting in return'," says Nick Sanna, CEO of RiskLens, a risk management software vendor.
Sanna adds that directors and executives face more requests to assess risk in financial terms, including from the Securities and Exchange Commission.
Because qualitative measures won't cut it like they used to (so long, traffic signal graphics!), customers are either embracing or being pushed toward measuring risk along two axis: Likelihood, and potential impact. These are the two essential metrics for any risk calculation, cyber or otherwise.
By moving from qualitative to quantitative risk assessment, the organization also helps itself create a guide for action. "How much risk do we have? Are we doing too much or too little? What does it take for us to stay out of trouble? These are basic questions, but they are the things you want to know as a business owner," Sanna explains.
Risk management that relies on likelihood and financial impact should lead organizations and their stewards to better decision making, Sanna adds.
And for large organizations and Fortune 500 companies, it's likely they're also tracking other types of risk (strategic, reputational, legal) within the organization. So tying in other risk measurements with cyber risk makes good sense, if only to have everyone using similar models, methods, and/or lexicon for risk management, according to Fred Kwong, CISO for Delta Dental Plans Association.
He looks at risk management through a slightly different filter. Kwong uses three categories to help measure the organization's cyber risk: Operational risk (availability of systems); risk to the organization's data; reputation risk, also known as risk to the brand.
Kwong points to other risk criteria that peers and colleagues use. Perhaps best known among these are the NIST risk management resources, cited by many as a basic compliance checklist. There's the Center for Internet Security's Risk Assessment Methodology (RAM) created by Halock. Generating consistent buzz is the risk framework from the Factor Analysis of Information Risk Institute (FAIR), which by most accounts, comes closest to delivering on the quantitative risk approach advocated by Kwong and Sanna (who's also president of the FAIR Institute).
"All these models boil down to what the risk is to the organization," Kwong says. "They also help us with how to track and measure that risk so our leaders have the data points they need to make the best decisions," about managing that risk, he adds.
Kwong also cautions against equating compliance with risk mitigation – think Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or the Federal Information Security Management Act (FISMA), for example.
"Many risk mitigation plans are built against HIPAA standards, but that's not an answer to the risk question," he explains. These frameworks may help mitigate risk, but they don't really manage risk or measure impact and likelihood. " As most security professionals know, raising the spectre of non-compliance has been a great way to get funding for a pet project. "No one wants to hear they're going to get fined by regulators or not considered trustworthy," Kwong says. But there's more work involved in risk management than simply being PCI compliant, he adds.