How to Quantify Cyber Threats as a CISO in 2020
The recently released Internet Organised Crime Threat Assessment (IOCTA) for 2019 by Europol shows that the threat landscape has matured, and key threats have grown in persistence and tenacity.
The report confirms that destructive ransomware threat remains high. Phishing, spear-phishing, and vulnerable remote desktop protocols have been identified as the primary infection vectors.
Such a threat landscape requires continuous efforts in the identification of main cyber threats to the organization and how much damage they can do.
CISOs need to be prepared for 2020 and coordinate their security efforts with the board and their company goals.
Communicating cyber threats in the board’s language—exact figures and business impact—requires a way to quantify these threats.
To quantify these cyber threats, CISOs require greater access to the organization’s key financial data and other indicators.
#1 Identifying the biggest threats and their financial impact on the company
Identification of the largest cyber threats seems to be the biggest hurdle in presenting cyber risk and exposure, mainly due to the fragmentation of digital solutions in organizations.
According to Deloitte’s Future of Cyber Survey, 41% of CISOs state that Shadow IT presents the most challenging aspect of cybersecurity management in the organization, followed closely by 37% of CISO stating cyber transformation presents a large challenge.
Shadow IT makes it challenging to quantify cyber risk, as there is no overview of all systems. This makes it next to impossible to get a good snapshot of organizational cyber maturity or security posture.
When the departments integrate digital solutions on their own, there is no alignment of IT with critical business goals.
How does it relate to quantifying cyber threats?
The board requires a good overview of the maximum potential threat so they can make the right risk assessments. Getting ShadowIT under control is the primary objective to be able to deliver such assessments.
Simply saying the largest cyber risk (such as data leakage or breach) will cost the company millions, destroy it, or have far-reaching consequences is not enough anymore.
How much would the cyber incident cost if left as is?
How much would your solution cost?
How much exposure would remain after implementing the solution?
Would your solution be a sound decision, from a financial standpoint?
Speak in actual numbers that affect the company, not industry averages.
#2 Getting access to the company turnover figures
Back in the day, CTOs and sysadmins, as they were called in smaller companies, had nothing to do with turnover figures or any type of financial statements outside of the realm of IT. Times have changed, and nowadays, cybersecurity is an integral part of every company.
With digital systems running in every department, the CISO requires a full overview of each of them to devise a data and information security strategy that will minimise risk and make the organisation more resilient to threats.
How does it relate to quantifying cyber threats?
Nowadays, CISOs must have access to company turnover figures in order to be able to quantify risk in terms that the board will understand. If the board wants to talk about cyber threat risk figures, you must show them how cyber threats will affect the organisation’s turnover.
The profit/loss reports would give better insight, but these are impossible to get if you’re not in a directorial position. Instead, focus on getting company turnover numbers to build your case.
#3 Presenting the impact of technology issues on employees
To get a clearer picture of how a cybersecurity incident will affect employees, it’s best to separate users as high, medium, and low impact.
Technology issues won’t affect all users in the company in the same manner.
Some will experience only mild inconveniences but be able to continue working.
Some won’t be affected at all.
Some, however, won’t be able to do a single thing until the issue is resolved.
How does this relate to quantifying cyber threats?
Quantifying the impact of cyber risk depends heavily on how your operations will take a blow. When you have a clear picture of how dependent your users are on technology, you will be able to calculate the impact.
If users can’t do their job at all—high impact users—it means their operations are standing still, which makes the risk and its cost greater.
If users aren’t that affected, the cost will be lower too.
#4 Presenting the financial impact of “downtime” on the company’s salaries
The amount of high, medium, and low impact users determines more than just the extent of the impact. It also shows how much downtime will cost in terms of salaries—how much it will cost the organization that these employees won’t be able to work.
How does this relate to quantifying cyber threats?
Even if employees can’t work because of the security incident that needs to be resolved, they will still get their salary for the day. How much will this add to the total cost of the security incident?
You don’t need exact figures for every possible employee you hire, of course, but having an idea of salary averages will help you determine this cost.
To get some idea on salary figures, ask the CFO or somebody in the financial department. You might even want to use external resources that can give you averages, such as Glassdoor.
#5 Determining the financial impact of “downtime” on the company’s sales
Most of the time, cybersecurity incidents have the greatest impact on company sales, since the sales processes are heavily dependent on technology. Your e-commerce stores won’t bring you any sales if the servers are under attack or if payment processing is down.
How does this relate to quantifying cyber threats?
While sales aren’t your responsibility, the impact of cyber threats on sales falls within your role. CISOs have the responsibility to communicate the impact of cyber threats on sales and present the costs of worst-case scenarios.
How many turnover days will the company lose in case of threat X?
Within each turnover days, what percentage of sales will go down the drain?
What is the chance of losing market positioning in case of threat X?
To provide relevant numbers, you must include the Sales team, and any other team related to sales to give you the required information on how market positioning and sales will be affected in worst-case scenarios.
What is the financial impact of IT regulations?
Information and data are top targets of cyberattacks, and all companies are under strict regulations on how to protect it, no matter what industry you are in.
Take GDPR as an example—the data protection act lists extremely high fines for companies that do not take necessary measures when it comes to personally identifiable information (PII).
How does this relate to quantifying cyber threats?
CISOs must quantify the impact of all regulations pertaining to the company in case of worst-case scenarios. The GDPR, for example, has extremely high fines. Depending on which is greater, the company might face fines of 20 million euros or 4% of its annual revenue in case of a data breach and must be included into the potential financial impact of cyber threats.
Most companies won’t stand a chance of recovery from such high fines.
What is the efficiency of my solutions against the biggest cyber threats?
After presenting cyber threats that are most likely to affect the company, CISOs must also present the solution. To sell the solution, you must quantify them too—their immediate and annual costs, in comparison to the costs of the threat they are solving.
In addition, there is also the efficiency factor of the solution—how much of the risk will it mitigate, and how much exposure would remain?
The efficiency of the solution depends on the threat type and environment. Is it prem? Is it in the cloud?
There are very few scenarios where a cyber solution will have 100% efficiency so decision-makers need to see the exposure left and weigh up the risk factor themselves.
How does this relate to quantifying cyber threats?
The reason why CISOs must quantify cyber threats is to put the costs in perspective when compared to the costs of efficient solutions.
Solution efficiency and cost help them justify investments that will improve the company’s resilience and overall security posture.
It is likely that CISOs will have more than one solution to mitigating the biggest threats, with each of them having different efficiency depending on the environment.
Showing the summed up costs of solutions versus the cost of a security incident without solutions will help the board understand just how much a security incident can set the company back.
Conclusion:
For 2020, CISOs must answer critical business questions clearly and speak in exact figures. They must quantify cyber threats and present solutions in terms of how they help maintain critical business strategy and operations.
With Boardish – boardish.io – CISOs will have access to a tool that helps them quantify cyber threats quickly, without having to deploy anything on-premise or grant access to their systems.
CISOs must work together with all departments and get all relevant information to present real threats in real numbers.
Boardish can help them create a snapshot of their company and help them run scenarios of different threats and their financial and market impact.
Let 2020 be the year of real numbers!