By Tom Boltman, VP of Strategic Initiatives at Kovrr. Prior to Kovrr Tom held senior leadership positions at a number of award-winning technology startups. He also spent 5 years as a producer at CNN International. He has an MA in Counter-Terrorism and a BA Hons. in International Relations.
Discussions about cyber security in the business context tend to focus on technology. They’re about the efficacy of the firewall, the loss of data in a breach and so forth. This makes sense, up to a point. Protecting digital assets involves the use of technology. Yet, there’s more to cyber security than the technologies involved. For business leaders in particular, cyber security is better viewed as a matter of business risk.
What are we really worried about?
Cyber security is also a subject area where people can become excessively concerned about disastrous outcomes. To be fair to the warriors, the dangers are real. However, what do we actually fear? The concerns people express don’t always align with probable outcomes.
For example, if the CEO says she is alarmed at the prospect of a data breach, is she saying she’s afraid that the confidential data held by the firm in a database will become public? Is she petrified that the Identity and Access Management (IAM) system will authenticate a malicious actor bent on stealing digital secrets?
Probably not… What she’s really worried about are the business impacts of such an event. Breaches are expensive to remediate, but worse, they can hurt a company’s reputation. It might cause customers and prospects to defect. A breach could thus slow down revenue and earnings growth. That, mostly, is what’s keeping the CEO up at night, not a fear that IAM will let her down.
This is worth mentioning because stakeholders in cyber security often talk past one another when they try to determine the best approaches to defending a business from cyber attacks. Tech people talk tech. Security people talk about security. Business people talk business. Compliance people talk compliance. Everyone seems to forget that there is only one real subject—the business itself.
Whose job is it, anyway?
A big part of the Chief Information Security Officer’s (CISO’s) job is to make sure that security countermeasures are functioning as required. However, security should not be solely up to the CISO. To the extent that all businesses are technology-driven, and that cyber risk affects the entire business, not just IT, a variety of additional stakeholders need to get involved.
Cyber security is relevant to a wider circle of C-level people. In addition to the Chief Technology Officer (CTO), these include the Chief Risk Officer (CRO), the Chief Financial Officer (CFO) and the Chief Operating Officer (COO). The board of directors has a role to play as well. All of these people need to be involved in assessing cyber risk from a business perspective. Each deserves a voice in figuring out the best way to mitigate cyber risk.
How a group of senior decision makers can collaborate on cyber risk management
How does a group of senior decision makers come together to collaborate on cyber risk management? Assuming that turf battles and personalities are not an issue, success comes from the ability to discuss cyber risk using a common frame of reference. This has proven to be difficult, given the technical nature of security and the opaque nature of cyber risk.
Consider the following relatable example of how not to manage cyber risk. The CISO wants authorization to spend $100,000 implementing Zero Trust Network Access (ZTNA). The senior leadership team, which must sign off on the expenditure, asks why ZTNA is necessary. The CISO replies that the changing threat landscape, coupled with the company’s new hybrid work model, increases the risk of a malicious actor accessing the network. This sounds good, but no one can know for sure if $100,000 is a high number or a good value.
If the senior leadership team knew the cost of a network breach, they could make an informed decision about ZTNA. They could have a conversation about the risk using a reference point that everyone is familiar with: Money. This means being able to quantify the risk of a network breach.
The role of cyber risk quantification
Cyber Risk Quantification (CRQ) is a process that assigns a financial value to given cyber risk. Done with specialized tools and real world data on cyber attack losses, CRQ makes it possible to establish, for example, that a network breach might cost $500,000 to remediate. With that figure in hand, a $100,000 investment in ZTNA looks wise. The senior decision makers can weigh the costs and the benefits of ZTNA without having to understand how ZTNA works. The non-technical stakeholders gain a seat at the table.
Cyber security is about managing overall risk to a business. As a result, business leaders must be part of the cyber security decision making process. CRQ gives everyone a way to understand and communicate about cyber risk using the universal language of money.
Learn more about CRQ here.