Jerry Caponera, Head of Risk Strategies at ThreatConnect, discusses the importance of developing a risk-oriented view into cybersecurity and why cyber risk needs to be quantified in the same way as operational risk or credit risk.
Security: What is your background? What are some of your responsibilities in your current role?
Caponera: I received a Bachelor of Science in Electrical Engineering in college, have a Master’s in Computer Science and earned an MBA. I’ve been working in cybersecurity for more than 13 years after starting my career as a developer. I’ve always had one foot in the business and finance world and one in the technical world, which is partly why I was drawn to the cyber risk quantification space about seven or eight years ago.
My current role at ThreatConnect is to define and lead the execution of our cyber risk strategy, which involves setting the direction for our Risk Quantifier product as well as helping to define and drive our Risk-Threat-Response strategy. Cyber risk is influenced by the threats you’re facing — and the threats you’re facing are influenced by the business risks they create. That, combined with the need to respond rapidly, results in a Risk-Threat-Response strategy, changing how businesses view cybersecurity.
Security: Why has cybersecurity become a top-three business concern?
Caponera: There are three reasons why cyber is now a top business concern: money, money and money. In reality, there are three kinds of “money,” or critical financial considerations: the direct cost of a cyberattack, the amount of money companies are spending on cybersecurity and the market value.
The first definition of money is the direct cost of an attack. The data shows that the cost of a cyberattack has dramatically increased over the years. In my opinion, cyber risk’s watershed moment was the Target breach of 2013, which cost Target more than $300M — and the CEO’s job. Target’s CEO losing his job demonstrated to companies that a cyberattack can affect not only their business but also their own careers.
The second definition of “money” has to do with how much companies are spending on cybersecurity. “In 2004, the global cybersecurity market was worth $3.5 billion — and in 2017, it was expected to be worth more than $120 billion. The cybersecurity market grew by roughly 35X over 13 years,” according to Cybersecurity Ventures. For most companies, cybersecurity is a cost center, not a revenue-generating center. CEOs and boards are asking, “Do we have enough security?” and “Are we protected?” and “How much is enough?” These are all critical questions.
The third definition of money is damage done to reputation or “market value.” Companies hit with a cyberattack tend to lose market value and customer confidence. Studies show that anywhere from “17% to 42%” of customers would leave your brand after a cyberattack. And if your company wants positive year-over-year customer growth, a cyberattack can be devastating.
In the end, the reason cyber risk is now a top-three risk for a company is that a cyberattack can end jobs, cost a company millions of dollars, and in some cases cause the company to go out of business. There are plenty of examples of small companies going out of business due to a ransomware attack — it’s just a matter of time before a larger company ends up dealing with something similar.
Security: What is the importance of developing a risk-oriented view into cybersecurity?
Caponera: Although companies primarily exist to serve their customers, employees, shareholders and the greater community, we increasingly see those specific cybersecurity threats can threaten a company’s entire existence. When considering said threats, the most crucial action companies can take is managing and mitigating the cyber threats that pose the most significant risk to the business. Not all threats are equal, so it’s key to quantify the risk in order to make informed business decisions.
Companies spend money on cybersecurity not because they want to (it doesn’t help them grow the business) but because they have to in order to protect the business. Yet, most companies look at cybersecurity in a technical way — which poses several challenges.
From reviewing/patching vulnerabilities to implementing security projects and handling security events, the burden of cyber threats is too much for a company to manage. The sheer volume of work outweighs the ability of teams to manage and execute. And not all risks are equal; even two “critical” risks might not be the same if one “critical” risk is to key infrastructure while another “critical” risk is to a company timekeeping system.
A risk-based approach to cybersecurity helps prioritize resources to tackle tasks that matter most to the business. Companies must move towards a risk-oriented view of cyber to mitigate what matters most to the business.
Security: Why does cyber risk need to be quantified in the same way as operations risk?
Caponera: Most companies I’ve worked with over the years have a single repository and process for managing risks to the business: the risk register. Companies need to look at all risks in context. Cyber risks are essential, but are they more important than the risk of a competitor entering your space? The answer to that question demands that we view cyber risk like all other risks in the company.
For example, let’s say a company has a $10M risk due to a ransomware attack, and it will cost them $1M to mitigate that risk. But they also have a new competitor entering the space that could take $25M in revenue from their top line. To minimize the $25M risk, the company would need to spend $1M on new marketing, feature development and other efforts. If the company only has $1M to spend, where should they spend it? The answer to the question depends on the company, but having that conversation in one place will add all the context needed on why cyber risk should be treated like all other risks to the organization.
Security: How critical is it to be able to quantify the potential implications of a cyber-breach on an organization’s bottom line financially?
Caponera: I think we’re past the point of debating the importance of quantifying risk in financial terms — it’s a necessity for every business. The frequency of attacks is growing across all sectors, and therefore, the financial risk is growing. These trends will continue to only go in one direction: up.
However, there is a decreasing trend in the ability and speed at which a company can respond to security threats. Those constraints — cost versus resources — are only going to grow over time. With cyber risk now a top-three risk for organizations, companies have to look at and quantify cyber risk in financial terms or risk being left behind.