This document provides methods and inspiration for Chief Information Security Officers (CISO) to design and implement quantitative cybersecurity metrics to report cyber risk at Board level and provide reasonable assurance that the risk is within the accepted risk appetite.
Once upon a time, you could protect your secrets by turning a key in a closed door. For your deepest secrets, you might have installed a better door, maybe improved the walls, or stationed a couple of guards. When you needed to move your secrets, you would bundle them into a bag and use steganography or cryptography to keep the secret from prying eyes. This fairy tale was true for computers too, but this time is long gone. Our society, economy, and day-to-day life depend on the exchange of information that swims through our interconnected systems. The concept of a protective fence is a thing of the past.
The modern economy and its reliance on data has made our secrets ever growing in value, and this has attracted the attention of the professional criminal, ever probing our defences. Our information systems create substantial risk to governments, businesses, and individuals alike. In 2021, $4 million was the average cost for a data breach at a typical corporation. A major breach could even go upwards of $400 million . The total costs for all cybersecurity incidents in 2020 are estimated at $1t, a more than 50% increase in two years.
It is no wonder that cybersecurity is a top-of-mind issue for most organizations and governments, and this attention is rightfully deserved. As an example, the new SEC regulations related to cybersecurity risk disclosures include provisions on the importance of communicating cybersecurity risk to boards.
But having the ear of senior stakeholders is not solving the cybersecurity problems or reducing the risk. Our business and governmental leaders are illequipped to deal with cybersecurity because cybersecurity does not speak their language. In turn, cybersecurity is ill-equipped to deal with senior stakeholders because cyber professionals struggle to measure their program’s effectiveness, articulate program utility, or even communicate its successes. This inability to measure the effectiveness of cybersecurity controls and communicate the risk reduction they produce to the senior stakeholders puts cybersecurity professionals in a position where they jockey for budget, yet they do not know if what they are doing is actually reducing the risk of losses.
Zero risk is unreachable and unrealistic. It always has been. But the dynamics have changed. Furthermore, the pace of change in the cybersecurity threat landscape exceeds our ability to adjust controls for risk or even identify which controls matter for mitigating risk. A CISO needs to justify the cybersecurity budget and explain why the chosen approaches align with the organization’s overall risk appetite. This is a challenging task, but one for which this paper aims to provide inspiration and material to design and implement pragmatic solutions.
Views: 0
