“The challenge for security is to be able to translate security metrics into a form of reporting that is relevant and understandable to a senior audience and aligns with and supports the assessment of business performance and ultimately business risk,” Steve Durbin, Managing Director, ISF
Quantifying cybersecurity risks can be a critical step in understanding those risks and getting executive support to address them.
Risk. According to Merriam-Webster, the word has several meanings. First is “possibility of loss or injury: PERIL.” A little down the list comes, “the chance of loss or the perils to the subject matter of an insurance contract, also: the degree of probability of such loss.” Now, from a business perspective, we’re getting somewhere.
The cybersecurity world is accustomed to talking about risk in colorful terms. “Code red,” “condition yellow,” and the like have long been used to discuss the immediate risk environment.
But as cybersecurity has become an issue for business executives as much as technology managers, the language has changed and risk has shifted to a quantitative conversation.
A Sign of Maturity
Brian Riley, senior director of global cyber-risk management at Liberty Mutual, says, “Putting numbers or metrics around risk allows you to have a different level of conversation about what that means.” He explains that the differences not only allow the conversations to take place with different business groups, but are indicative of a growing maturity in the field of cyber risk.
One sign of cybersecurity maturity is adoption of a common language and analytical framework to describe risk in terms other lines of business understand.
There are a number of organizations that have developed such tools. For example, the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST) have created sweeping, comprehensive standards. And a tool like the Factor Analysis of Information Risk (FAIR) is a practical framework that helps organizations uphold those standards – specifically the ones that relate to cyber-risk.
Frameworks Make the Team Work
Steve Durbin, managing director of the Information Security Forum, says the common understanding within the organization is critical. “The challenge for security is to be able to translate security metrics into a form of reporting that is relevant and understandable to a senior audience and aligns with and supports the assessment of business performance and ultimately business risk,” he says.
That assessment will, at some level, need to be expressed in the dollars and cents terms that are the core of executive discussion.
“For board-level metrics, analytics data must often be combined with some sort of cost-benefit analysis,” says Heather Paunet, vice-president of product management at Untangle.
And boards of directors are increasingly interested in having CISOs and risk managers make sense in board meetings. “It would be a very foolish board indeed today that said it had no interest in understanding the company’s security posture and what steps were being taken to protect its critical assets,” says Steve Durbin.