Most organizations and enterprises rely on their IT systems and the Internet to develop, build, and sell their products and services. Moreover, they often use a complicated web of contractors and vendors that are integrated into those IT systems, creating a hyperconnected and complex ecosystem that exposes organizations to systemic risk.
In this blog, I consider how to effectively measure and communicate this type of risk. With quantified risk at hand, you can then make the financial case for cybersecurity measures to minimize that systemic risk.
Against the backdrop of systemic risk, cyber and security professionals strive to develop and deploy protection measures to lower risk. The reality is there are just too many areas where an adversary could attack. At the same time, securing all of those would be prohibitively expensive and time consuming.
Given these realities, we need a way to decide what to address and what not to address. In essence, we need to find the measures that reduce the most risk for the least expense, or more plainly, give us “the biggest bang for the buck”, all while acknowledging there will always be residual risk.
In addition to maximizing the risk reduction, we also need a communication mechanism for talking to the executive team and or board of directors to persuade them to provide support and funding. One mechanism for achieving this is to communicate actions in terms of business risk. Each entity’s risk appetite is very different from the next, so tailoring the conversation to the specific needs of your audience is extremely important.
For example, as compared to an established firm, a start-up will often accept larger risk. By nature, startups embrace product risk. A start-up that considers heavy spending on security knows that such spending would detract from product innovation and increase product time-to-market.
Identifying, managing, and communicating risk requires a cross-discipline team as no one individual knows everything. That’s right, even I don’t know everything! As with any team exercise it is important to ensure everyone is using the same language. I find that the Open Factor Analysis of Information Risk (FAIR) taxonomy is superb.
FAIR clearly defines the differences between risk, vulnerability, threat, probability, and more. Additionally, it offers a mechanism to quantify the risk and express it as an annualized and or one-time loss. While not all organizations will be ready or able to wait to implement that level of rigor, it can still be used to deliver a qualitative assessment that CEOs and CFOs will be able to understand.
Personally, I find that understanding an entity’s value chain and risk appetite allows risk practitioners to position risk reduction or mitigation measures more effectively and balance the desire to reduce risk with the need to grow and operate the business. If technical and security practitioners cannot articulate the risk reduction a particular product will deliver, it is highly likely that any decision made to mitigate perceived risk is a knee-jerk selection based on current trends or vendor marketing.
The reason you need to think about risk is simple: your business is complex. Wise business decisions balance numerous factors, such as change and stability, safety and risk, and both long and short-term outcomes. With risk factoring into every equation, it is essential to quantify and communicate risk in ways that everyone can understand.
Contact our security team today if you need assistance with assessing and mitigating your risk today.