The Securities and Exchange Commission (SEC) is set to require that companies disclose their cybersecurity governance capabilities—including board oversight of cyber risk. Now more than ever, corporate boards must actively participate in cybersecurity management, but the barriers are tall: the technical nature of cybersecurity can put practitioners and board members at odds from the start. Corporate boards deal in reality—the reality of balancing organizational goals with economic constraints—and, therefore, finding a way to bring them into the cybersecurity conversation where they operate is more important than ever. Enter cyber risk quantification.
CRQ is not new. Board members are probably used to hearing about other key enterprise risks in terms of financial exposure but not with cybersecurity risks—why? Until now, cyber risk quantification has been overly complex, static and inflexible, and resource intensive. But the field is emerging to become a powerful and indispensable tool that can quickly translate cybersecurity risks into business problems that corporate boards are already equipped to solve. Now, board members can fully participate in decisions about where to make investments that reduce cybersecurity exposure and demonstrate solid financial stewardship. In short, CRQ invites board members to the team.
Corporate boards have been trained to understand cyber risks in largely qualitative terms—and left to guess what these terms mean to the company’s loss profile. For example, cyber risks are presented as “red, yellow, or green,” and boards are expected to magically translate these expressions to a loss profile. Consider ransomware. Communicating to the board that ransomware is a “red” exposure is tantamount to saying, “be concerned.” But, how concerned? Qualitative approaches evolved to compensate for the perceived technical language barrier when in fact, the barrier is not technical—it’s the lack of presenting challenges in economic terms for which the board has fiduciary responsibility. If boards are to participate fully, they must be able to understand ransomware as an economic condition that can dissolve companies and damage society.
Emerging cyber risk quantification methods do just that. They express complex technical risks into easy-to-model and easy-to-understand quantifiable terms. They allow boards to ask “what if” questions about the risks if operating conditions change. They facilitate full board participation in cybersecurity by allowing boards to align cyber risk with what they know about the business—upcoming economic challenges, potential merger and acquisition activities, or even the effect on the company’s financial statements or stock price. This is why cyber risk now routinely scores as a top risk in surveys of executives and board members.
Emerging cyber risk quantification methods are more accessible and practical. Cybersecurity practitioners can use these methods collaboratively with business personnel to create common and actionable goals for reducing operational risk. But, getting trapped in extensive calculations and iterations—a mainstay of CRQ methods of the past—won’t make this alliance successful. In fact, it might even do damage because it supports the belief that risk quantification is yet another technology-laden tool that will eventually become shelf-ware. So, how do we make CRQ a vital organization-wide tool for understanding cyber risk exposure? Here are five critical steps that make CRQ the only choice for board and business alignment on cyber risk:
Identify important and relevant cyber scenarios
A few key scenarios can be transformative for helping boards to understand the organization’s cyber exposure. They may be top-of-mind for the board (because they are in the daily headlines) or something that the board has not yet considered. Don’t get hung up by focusing on a few key assets—the so-called “crown jewels.” Remember that assets are “in production” to make operational processes achieve their goals, so by expanding the quantification process to a larger scope, the most important assets are included by design. Remember, a ransomware attack doesn’t just focus on an information asset—it aims to disrupt an organizational process that uses information assets. By thinking about cyber risk in the larger context of operational resilience, your scenarios will be more meaningful and understandable by organizational decision-makers, including board members.
Analyze the impact of risk—and document your work
Use a CRQ method that quickly lets you get a view of the range of outcomes if a scenario is realized—in terms of potential economic loss. Quantify the risk by examining all of the areas that could be impacted—such as reputation, safety, and health of employees and customers, or potential legal actions. Be able to show board members how you calculated the risk and gain their consensus. By showing your work, board members may help you refine your calculations and, by doing so, further institutionalize their involvement in the process. Use methods such as Monte Carlo simulation to do the hard background work and produce quantification results that can quickly be re-modeled as conditions change.
Don’t get distracted by probabilities
Traditional CRQ methods make futile attempts to modify scenarios with precise probabilities and likelihoods—often difficult, if not impossible, to calculate. For example, what is the precise probability that your organization will be affected by a specific ransomware scenario that affects a specific information asset? And how will your probability assumptions hold up to board questions? A better way is to prioritize key scenarios as to their relative probability. That is, determine the degree to which you are susceptible to a scenario relative to other key scenarios. This helps you prioritize and quantify scenarios in the order in which they contribute to overall potential economic loss. By doing this, you don’t get caught up in pseudo-precision; instead, you communicate to the board how susceptible you are to risk scenarios and why you are bringing them to the board’s attention.
Traditional methods of evaluating return on investment don’t work well for cybersecurity investments—especially those that deal with risk mitigation. Unfortunately, boards are used to hearing about (and making decisions on) organizational investments in terms of rate of return, so that same thinking is often applied to proposed security investments. However, a good CRQ method allows you to perform countermeasure-to-consequence evaluation, showing the amount of cyber loss that is prevented per $1 of countermeasure investment. And in an effective CRQ method, this $1 investment can be evaluated in terms of how it affects more than one risk scenario simultaneously, demonstrating the force multiplier in considering countermeasures at a scenario level.
Tell and show the board
An effective CRQ method gives you all of the relevant data that a board can use to improve involvement in cyber risk management. You can use this data to inform the board about priorities, but by showing them the simple and powerful calculations you made, you give them the opportunity to participate. In fact, you might even refine your assumptions by gaining their input. In the end, the board is armed with knowledge of the organization’s key cyber risks, the potential associated economic loss, and the cost-of-countermeasures—from which informed decisions can be made.
An effective CRQ method should allow you to perform these five steps with a minimal time commitment—and ensure that the method can be repeated as needed to stay aligned with an evolving threat landscape. Cybersecurity practitioners get much-needed board guidance and can make program adjustments that better align with risk priorities. Board members are given a seat at the table to discuss cyber risks in terms that are meaningful and consistent with their responsibilities. And the organization benefits from cutting through the noise of potential cyber risks by focusing on those risks that have the most potential for operational disruption and economic loss. In the end, using an approachable CRQ method will not only make board participation more effective, but give all stakeholders an effective way to communicate about and address cyber risks.