As cyberattacks continue to hamper organizations spanning all sizes and sectors, it has never been more critical for CISOs to have an open line of communication with the C-suite and the Board regarding risk. Although most CISOs recognize the importance of communicating risk, many of them struggle with illustrating the impact of their defenses on reducing risk in dollars, or what is referred to as quantifying cyber risk.
When quantifying cyber risk, one must measure the financial impact and likelihood of a cyber-related incident taking place. This usually includes identifying, validating and analyzing threats using mathematical models that factor in an organization’s loss expectancies, investments in controls and probabilities of threats with impact.
Cyber risks are very real, but how can security leaders translate their technical impact into terms that senior level executives can understand, prioritize and act upon?
Think ahead: Anticipating C-suite questioning
Before a CISO can begin putting together any type of risk readout, they must first take a step back to understand the questions being asked of them by the C-suite and Board members. Of course, these questions will evolve over time, especially when a major data breach or vulnerability takes place in the industry. For the most part, CISOs should be prepared to answer the following questions:
- What are the top risks and what is their dollar value impact to business?
- How do we evaluate the effectiveness of our information security program by way of ROI?
- Are we investing in the right areas?
- Are we spending enough – or too much – on information security?
The responses to these questions will provide CISOs with a much better context that includes a business-oriented overview of the organization’s risk posture. This is the focal point.
Understanding qualitative vs. quantitative risk readouts
When CISOs are tasked with providing risk readouts to fellow executives and board members, they often fall into two macro categories: qualitative and quantitative risk readouts. Security leaders need to know the difference, as well as the pros and cons, between the two types of reports.
Qualitative risk readouts are based on data that describes qualities or characteristics, often collected using questionnaires, interviews or general observation. These types of readouts have some inherent problems. For one, the common risk thresholds of “critical, high, medium and low” are defined either poorly, or not at all. Additionally, risk tolerance and risk appetite levels are not incorporated into qualitative risk readouts – which makes all the difference in communicating the status of an organization's security posture. Most importantly, qualitative risk readouts do not speak in business financial terms; therefore, they don’t always address the C-suite’s priorities. These types of reports lack the risk and impact in dollar amounts, as well as the amount of risk reduction in dollars.
Quantitative risk readouts often get senior executives’ attention, in the best way possible, as the analysis is rooted in cost-based ROI from a business perspective. These risk readouts are based on metrics, and provide a method to embed risk tolerance. They are also more accurate than qualitative, ordinal scales.
Regularly communicating risk: Finding the proper cadence
Once a readout is prepared and communicated, it is not a “one and done” ordeal. In fact, cyber risk should be regularly communicated to the C-suite and Board. Communication is imperative when bolstering an organization’s security posture, and it starts with the CISO properly reporting risk to their peers. Through a quantitative readout approach, as well as regular reporting and anticipating the C-suite’s concerns, security leaders will be well positioned to raise awareness of the organization’s better-defined risk levels, and get what they need in order to improve security defenses.