Everyone envies the Chief Financial Officer (CFO), even if they don’t say it out loud. She has the money! However, this envy may be misplaced. If we understood the agonizing choices she faced, we might instead have some empathy. This is particularly true in cybersecurity. If the CFO has a dollar to spend on cybersecurity, what is the best use of that dollar?
A dollar allocated to cybersecurity could go toward more cyber insurance. Or, it could go to a new firewall, or any other countermeasure on the Chief Information Security Officer’s (CISO’s) wish list. The problem for the CFO is that she might have a hard time putting a dollar value on the risks she is mitigating. In addition, she will likely have to explain her decision to the board of directors, who may have even less sense of where to spend money on security.
Getting CFOs and boards to understand the financial impact of cyber threats is indeed one of the great challenges facing CISOs today.
Getting CFOs and boards to understand the financial impact of cyber threats is indeed one of the great challenges facing CISOs today. It’s an area that CISOs struggle with for two essential reasons: For one thing, modeling risk in financial terms is not typically in the background the CISO, who is probably a technologist at heart. And, even with a desire to put a price tag on risks, there have not been a lot of good ways to do that until recently.
As the cyber threat landscape heats up, new vendors and methodologies are emerging to tackle this complicated and serious issue. Axio, for example, works with clients to get at the “ground truth” of cyber risk they are facing. According to Scott Kannry, the company’s CEO, “You have to take a deep look at the real costs of dealing with a major cyber incident, way past any pro-forma ‘duty of care’ standards you may have used in the past. What will it actually cost to deal with a catastrophic event?”
There is always the “sky is falling” approach, which posits that a major cyber attack will simply destroy the company—its dollar value is incalculable.
Arriving at an accurate, workable figure is not easy. There is always the “sky is falling” approach, which posits that a major cyber attack will simply destroy the company—its dollar value is incalculable. On the other side, one can look at industry research, which holds that the average cyber attack costs, say, $4 million. Neither is of much use. The “average attack” is not relevant to any one individual company, whose risk exposure might be quite a lot lower or higher.
“You have to take a deep look at the real costs of dealing with a major cyber incident, way past any pro-forma ‘duty of care’ standards you may have used in the past. What will it actually cost to deal with a catastrophic event?” – Scott Kannry, CEO of Axio
“You also have to be completely aware of how your cyber insurance and general liability policies will actually work if you are going to rely on it to cover your costs on your worst imaginable day,” Kannry advised. He got his start at AON, so he comes to cyber-related insurance discussions from a position of strong experience. “You might be surprised at how many cyber exclusions your property policy actually contains.”
The Axio methodology creates what Kannry calls an “impact taxonomy.” “A cyber attack creates layers of impact on a business,” he said. “Some are not so easy to spot. For example, will a disruption in business cause your sales pipeline to collapse? What will that cost? Or, will your physical assets be affected? An operational technology outage might cause massive financial losses if industrial infrastructure has to be replaced—a process that will also stop operations for months, potentially.”
Axio offers software the helps the client develop the impact taxonomy and place possible financial losses into cost buckets they can use to determine accurate values for cyber risks. “With our methodology as a foundation, you can start to have productive dialogues about investments in countermeasures that are driven by dollar estimates of risk versus hunches,” Kannry concluded. “You can talk to the board about cyber risk in financial terms, which they can use to make informed decisions about investing in cyber security.”