How to Talk About Cybersecurity Risk Management
By Bill Bernard
We’re told as security professionals that risk is the language of business, and that to speak risk is to talk business. Certainly, there’s some truth to that. So we all went out and got our CISSP certifications. We learned how to talk about risk. And in the process, we realized there is still a gulf to cross between how business people talk about business risk management and how security people talk about cybersecurity risk management. It can sometimes feel like two people with very different accents trying to speak to each other; some things translate and some things don’t.
Those of us in information or cybersecurity are still the pioneers of our own risk language, and we lack some helpful tools. We have no equivalent to market analysis, no actuarial tables, no industry vertical championing our particular dialect of the language of risk and need to figure out our own way to talk to our boards. We’re left with no other choice than to develop the tools ourselves.
The metrics at our disposal are primitive, and not necessarily risk focused:
- Quantities of incidents identified and prevented
- Quantities of incidents identified and NOT prevented
- Cost of mitigation solutions
- Cost of remediation
We lack the projection ability to look at the coming year and say: “we will see 3,000 attempted incursions into our environment, and we will stop 2,900 of those.” At best, we can talk about managing cyber risk in a purely qualitative way.
An example. Our chances of getting hit with ransomware are “high,” but adding an email filtering solution will make it “lower.” But how much lower? 30%? 60%? Even if it eliminates 100% of the possible ransomware attacks sent via email, that still leaves other attack vectors open. So protecting against 100% of the email attack vectors may only stop 75% of ransomware attacks.
Lost in translation
While our business peers (?) have a very solid risk vocabulary, with specific and nuanced definitions for their words, we cybersecurity risk management speakers have limited vocabularies. We use “good” to describe what the business might further separate into “acceptable,” “pleasing,” and “fantastic.”
And the confusion doesn’t stop there. Entire risk concepts don’t translate well when we start talking about managing cyber risk. With business risk you can aggregate and diversify risk; if one business unit does poorly you may have others that do well, supporting the company as a whole. With security risk, we can’t segment our assets. A high risk here isn’t offset by low risk there.
We also find our business risk colleagues asking us questions that make perfect sense to them, but are meaningless to us, such as: “How much money did we save by not having any security incidents this month?” As a security professional, I have a hard time with those kinds of questions. How do you prove a negative? How do you evaluate the cost of a loss that didn’t occur? How do you know how bad the thing that you didn’t get hit by was?
How to find common ground
All is not lost of course. There are ways to discuss the value of a security program with business risk speakers in a language everyone speaks, even if it’s not the language of risk itself.
Insurance Policies and Rates
Do you know who the absolute champs are at monetizing risk? Insurance companies. They maybe can’t answer a specific risk question about one car, but they can answer it for a fleet of insured drivers. They can tell you the statistical likelihood of a car without ABS causing a significant accident vs. the likelihood of a car with ABS. Or with autonomous braking and without. Or with and without blind-spot monitors, etc.
Cyber insurance policies are no different. If you get money off for having an IR partner on retainer or for having an EDR tool deployed, that’s a good indicator that those things help you manage cyber risk. These may be able to help act as a guide for your risk conversations: “deploying solution X has dropped out insurance rates by Y percent,” or even “deploying solution X has allowed us to qualify for this insurance program.”
Competitive advantage/business enablement
Did your company lose the big deal because your customer didn’t like the answers you provided to their security questionnaire? Did you lose out to a competitor who guarantees the security of data entrusted to them? Nothing gets the business risk speakers on your side like showing them how the things you do (or need money for) help them make money.
That is about as directly coupled as security can get to business risk as it directly interferes with or empowers sales and customer retention.
Yes, I know, compliance is right up there with fear, uncertainty, and doubt (FUD) among the most hated excuses for doing something. But business people are all about compliance. Mention acronyms like SEC or FTC, and you’ll have a conversation starter for sure. But this is the nuclear option in some respects, so think before you dive in, and have the data to back your position up. If you can have a conversation about how you’re meeting these requirements, that is a load of risk worry you can take off of business people’s minds.
Tracking Key Performance Indicators
When all else fails, downshift to metrics over time. KPIs are still meaningful and still useful ways to communicate the value a security program brings to the business. But such stats are meaningless if they don’t have a long tail of history to compare against, so make sure you’re tracking them now, not just scrambling to pull something together for an upcoming meeting. From a security operation perspective, here are a few critical KPIs that provide direct insight into security operations programs:
- Time to validation of an incident (perhaps divided amongst severities) to show the efficiency of tier 1 and tier 2 operations
- Time to remediation of an incident (also divided amongst severities) to show the efficiency of the complete security operations program
- Percent of validated incidents closed as false positives to show how tuning and continuous improvement in the program is removing those from the escalation path
- Coverage metrics to validate the % of systems and security tools that are properly and actively reporting data to the operations center for analysis and correlation
- % of incidents not identified by the SOC, but by other sources (end users, third parties, etc.) to indicate the effectiveness of the SOC at identifying incidents without missing them.
Make sure you’re looking through the right lens
A solution like the Deepwatch SCORE helps you communicate the value of your security operations program to your business and stakeholders by demonstrating how the maturity of your program compares to industry peers and other companies of similar sizes. Get better at managing your cyber risk by seeing where you stand today.