The definition of success and the accurate measurement of the indicators of that success are business imperatives. In some fields, they are easily recognized and fairly simple to measure — for example, measuring sales volumes, return on investment (ROI), or customer satisfaction survey results.
However, in fields such as preventive medicine or aviation safety — where success is measured by diseases avoided or disasters averted — executives face the challenge of proving a negative to determine success. Cybersecurity is a prime example of this, with security teams struggling to succinctly demonstrate the ROI from not getting hacked last month or from not losing valuable customer data from the breach that never happened.
Proving the “crisis averted” makes it hard to demonstrate value in a way that traditional corporate executives can understand. However, given how organizations are prioritizing a number of digital transformation initiatives to increase efficiencies and simplify environments in both scope and proximity to core business operations, the mandate for doing so is increasingly urgent. The way to drive the value proposition of cyber beyond just the walls of the IT office and onto the value assurance and risk management agendas of top organizational leaders is by framing the data into a format they can quickly process. CISOs can do this by tying security investments to business impacts through a cyber balance sheet.
The resulting impact of a cyber incident can be widespread and long lasting. Therefore, investments in cyber-risk solutions should be substantiated and correlated to these business impacts. And, the cost estimation of these impacts should evolve to meet today’s reality. Historical calculations (such as server downtime) and recovery time objectives are no longer enough.
Executives need to be able to consume the complexities of cyber-risk in business terms and receive repeatable, meaningful metrics upon which to base risk decisions. Often, the information being provided by CISOs and security teams to update management on their cyber exposure is highly complex and generated in a technical lexicon. This thwarts the ability of management to truly understand much less calculate value regarding cyber-risk, and ultimately puts them at a disadvantage regarding their ability to effectively prioritize, govern, and execute on cyber programs that can have operational, financial, and reputational impacts.
Let’s dig into the proposed cyber balance sheet. Balance sheets, and financial statements in general, exist to provide a broad view of the financial performance of an entity. They are based on a standard framework that takes vast amounts of data from many different sources and systems and consolidates that information down to a cohesive view of financial performance that is easily understood by those who consume it. The demands of cyber-risk reporting are analogous; large amounts of technical risk data need to be consumed from many systems and synthesized down to easily understandable, meaningful business risk terms to allow a variety of stakeholders to make decisions.
Using financial modeling, companies can adopt approaches for estimating both the direct and hidden intangible costs associated with cyber-risk and express those risks in traditional financial terms. These models should be based on industry-accepted frameworks (e.g., FAIR, NIST, etc.). A cyber balance sheet incorporates these financial models and related tools to gauge the impact differential between, say, two hours of downtime for an online merchant website versus two hours of downtown for a complex manufacturing line. While the former could mean lost customer data, the latter could cause a vast ripple effect on production and even shut down your just-in-time global supply chain because expensive infrastructure was sabotaged and destroyed.
Organizational Steps Toward More Cyber Visibility and Investment
Against this backdrop, cyber-risk should be structured and measured beyond mere threats, vulnerabilities, and probability — and into the realm of fully assessing the nature and severity of risks; the “materiality” of threats for prioritizing remediation; and the decision support for both tactical judgments and larger strategic business decisions that affect the whole company.
Here are two examples that showcase the value of security in ways that executives understand and care about.
Demonstrating how a needed software or workflow improvement will solve not just an immediate security problem in one department but also solve everyone’s problem in numerous departments if the approach is adopted organizationwide would likely be well received and offer a more federated approach to governance.
A government agency CIO could show how new FedRAMP security templates to inherit data from trusted multitenant cloud-based identity access management platforms cannot just plug security holes and reduce reporting violations but also boot efficiencies by reducing redundant compliance validation on applicants that use such services.
If leadership views the CISOs and their teams as more operational and focused only on technology or information risks, the cyber team could be treated as less of a strategic asset and will become more of a strategic adviser. Ultimately, tying security investments to business impacts, and measuring those effects with a cyber balance sheet approach will help elevate cyber-risk understanding and commitment for executives and boards.
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What a Security Products Blacklist Means for End Users and Integrators.”
Andrew Morrison is a principal in Deloitte & Touche LLP’s Cyber Risk Services practice and specializes in assisting clients with the risk associated with cyber threats. Andrew currently serves as the US leader of Deloitte’s Cyber Strategy, Defense, and Response practice. In … View Full Bio