Cyber risk assessment is a complicated matter for CISOs. While it’s hard enough to identify the most serious risks, it can be even more challenging to quantify the risk in a way that translates into board action. CISOs may struggle to answer a profound but inevitable business question that arises in the face of cyber risks: What’s the price of NOT spending money on mitigating a particular risk? Put another way, which risks threaten the organization with the greatest financial impact? New tools now help CISOs perform risk assessment and develop meaningful financial impact analysis around each threat.
Calculating cost/benefit for cyber policy decisions
Security budgets are trending up and boards are more likely to allocate resources to risk mitigation. However, the problem of prioritization still remains. Which countermeasure is the better investment? To answer the question, it’s necessary to understand how much an outage or breach will cost the business in one system versus another.
I spoke about this challenge with Jerry Caponera, VP of Cyber Risk Strategy at Nehemiah Security. Nehemiah now offers RQ, a risk quantification solution to help CISOs put a dollar figure on the business impact of a threat. “Think about it like this,” Caponera said. “If you had to choose to defend either your email server or your ERP solution, which one would you invest with more security?”
There’s no automatic answer, according to Caponera. “It depends on your business. In one company, ERP may be so critical that an outage could cost millions of dollars an hour. Alternatively, if email is the life blood of your customer relationships, having email go down could also be very costly.”
A meaningful dialogue about security investments in this scenario involves knowing the financial impact of an incident, but also its probability. As Caponera put it, “An attack on system A might have a financial impact of a billion dollars, but if the likelihood of an attack is one thousandth of one percent, should we protect System A over System B, which has a 50% chance of a million-dollar loss?”
New tools for cyber risk assessment
Nehemiah’s RQ operationalizes this thought process through what Caponera calls a “Risk Engine.” RQ factors in existing controls and business financials to arrive at Return on Investment (ROI) criteria for proposed investments in security. It looks at the cost of theft of personally identifiable information (PII), business disruption and more. The solution features automatic discovery of digital assets as well as continuous updating of the control environment.
“If a control is in effect at the time of a security audit, but then falls apart, that’s going to increase the potential cost of a risk,” Caponera said. “It’s critical to know what’s going on in your environment at all times.”