Dear CISO and Board

I think we should always consider our job as a part of the business. We finally started to consider cyber security and data protection as a serious issue but now the question is how we evaluate a risk in our analysis and business plans…

Current documentations and reports, for risk analysis, presented to most of the boards use just a flag (High, medium, low risk) but does not seems to specify any metric. Without metric it is hard to make sound evaluation and comparison so to the question raised by any member of the board : “does a high risk in XYZ be dangerous as a high risk in ABC” can’t have a credible answer if not on “perception” which is subjective if not backed up by facts..

Security metrics are, as of now, subject of interpretation and discussion but we can simplify the approach to make security analysis somehow credible and understandable.

First of all, to answer to board question what is needed is a common framework of evaluation, that include easy to read metrics, that make comparison understandable even to not cyber security experts, as most of the board member that have to take decision based upon those inputs are.

This is something that goes beyond the Cyber and Information Security Officer tasks, this requires the whole company to start thinking about its cyber security and digital assets, but unless the approach is to take a reactive way of do thing, inputs coming from you should be provided to start outlining this framework and metrics.

Alas cyber security risk analysis is all but simple, mostly if related to business impact, since it requires understanding of cyber security issue and, as well, the business in which the risk is analyzed.

There are two main aspects that need sound and readable metrics:

  1. Risk evaluation
  2. Risk consequences

The first item is used to define how “risky” is something. Measure a risk requires, to simplify a complex matter, to be able to evaluate the probability that something happens, the magnitude of the damage, and the cost for fixing things. Magnitude of the damage and cost to fix things are bound to Risk consequences, that are, basically, the metric that can be used in a board meeting to describe the risk in terms understandable to a non-cyber security aware audience.

I will not enter in the realm of risk evaluation deeply here, you have a deep knowledge and understanding of the issue and I do not want to bore you with my considerations, but let me notice how there is not, apparently, yet a common framework of evaluation spread through your company’s groups and BU on the matter.

If risk evaluation is one key, but mostly technical, aspect, let me point out something on the risk consequences aspect that can be of some use in the future business plans to make them useful from a business perspective and not just a sterile exercise.

Risk consequences can be presented, basically, in some dimensions that are somehow related, the aim here is to understand if a cyber security incident occurs what can be the measures that allow your company to describe it and, therefore, compare with another event.

Would make sense, in my point of view, to present any risk analysis to the board and other managers in those terms:

1)     Monetary cost in terms of loss revenues

2)     Monetary cost in terms of live costs

3)     Impact on market penetration

4)     Impact on brand perception

This would allow to compare an XYZ incident to a ABC incident and answer somehow to Board question, and, moreover, to give a metric to understand where and why to invest in an area instead of another one.

Let me quickly describe the 4 points.

1)     Monetary cost in terms of loss revenues

This is a dimension that can be easily perceived by sales and financial managers. This basically means to be able to estimate how many direct selling activities will be impacted by the incident. The timeframe taken into account is key, of course, since events can have different effect in terms of immediate, medium and long term timeframe.

The evaluation can be presented both in terms of net amount of money or % compared to budget. Both make sense to understand the impact.

2)     Monetary costs in terms of live costs

This basically means to put into account all the live costs related to the incident as fines, legal issues, HW\SW replacements, people working on the issue and so on. It is important to separate costs related to the incident to the loss revenue related to the incident.

3)     Impact on market penetration

This is a metric that make sense for a vendor who is trying to expand its footprint in the market as your company is trying to do. It is strictly connected to the direct revenues but also to the growth expectations. This can be represented as a % of the market share.

4)     Impact on brand perception

This last item is the hardest to measure, since it depends on the metric used to value Brand inside your company, since I have been never told what metrics are used I can here just suggest to present the %variation related to the value before the incident.

For what I know this has not been done before on Cyber and Information Security Business Plans. It could be either something sound to present in your future BP or a task for the Cyber and Information Security Office to be implemented for this year if the structure is not able to do this kind of analysis and presentation.

With those 4 points would be possible to both:

make comparison between risks

and

provide to the board an output that can be objectively used to take decision.

Let take, as an example, privacy risk related to GDPR not compliancy.

This approach would allow you to present in the BP set of data to justify expenses and investments every time a risk is presented; something like:

Let me explain the the table to you, of course values are fictitious and timeframe can be adjusted to your reality but give almost a basic understanding.

GDPR not compliancy:

1)     customer personal data breach: Columns headers

Short term impact (1-3 months)

It is what happen immediately after the problem, where you have to set up the required operations to make things running again somehow. If you have a Emergency Response Team (You should) this is where you put the costs…

Midterm impact (3 months – one year)

Let be honest, if it is a minor outbreak may be things will be solved quickly, but if the problem is bigger, as your marketing database exposed, you will start considering also legal costs, fines and the impact on your market…

Long Term Impact (1-3 years)

Things have an impact also after your BP, life is nt restricted to your daterange, business is not restricted to daterange, you you should be able to make prediction and analysis way longer than the simple one year timeframe. It is common in any business, so here too.

2)     customer personal data breach: rows headers

Revenue losses

This is the revenue losses that you will have to face upon your budget expectations.

Live costs

This contains what you have to pay, your direct costs that cove, as an example:

  • HW\SW replacement
  • Fines
  • Estimated “damaged user” legal issues if someone sue you
  • ransom paid
  • eventual cyber security insurance policy fee rise
  • stop production costs
  • people working on the issue to solve the problem (eventual forensic analysts, cyber experts, lawyers …)

Impact on Market Penetration

This is where you put how the incident will damage your business in terms of your presence and future outlook.

Impact on Brand Perception

this is how your credibility will be affected

With this kind of matrix would be easy to make correct evaluations and comparison. I am not sure this is at the moment something that can be done with the current analysis tools but eventually would be a sound element to put in a BP for a future sound approach to cyber security risk evaluation.

regards

Antonio Lerano

Source: linkedin.com