When it comes to discussing ‘risk’ we’ve noticed a trend of CISOs and Cyber Professionals recently are turning to outdated ‘probability and likelihood’ frameworks. 

That is to say, when they’re figuring out the risk to their company (and then trying to get budget approval) they’re only planning solutions for threats that are deemed ‘more likely.’ Rather than by their actual impact to the company. 

Before we look at why this could be another contributing factor for high CISO turnover, and can damage your tenure in an organisation we first want to post the question: 

If you quantify using the ‘likelihood’ of threats to your organisation, how do you account for the *actual impact if you do get hit? 

For example, when you use probability frameworks to quantify whether your organisation will get hit, it doesn’t give you a true ‘impact figure.’ It gives you a figure that is adjusted based on the likelihood that you won’t get hit.

But how does this help you if you do?  

If you never know exactly when your company is going to be exploited, how do you work out your security posture and exposure level accurately? How do you properly quantify the financial impact of a threat so that you know which one would exposure you the most financially. 

Why would you purchase solutions for a ‘very likely’ threat if that threat barely impacts you at all? And why would you leave your business open to a ‘less likely’ threat that could have devastating effects that your business never recovers from? 

This is what you’re doing when looking at probability. You’re not properly quantifying the impact of the threats. 

To do that, you need to assume that you are hit and quantify the exact impact that would have on your business right now. 

Then as a CISO you can plan accordingly. This is also how you consolidate and spend your budget smartly, because you’re purchasing solutions that give you the best and the most coverage, rather than trying to plug the holes you think are going to happen. 

With that in mind, there are also 3 reasons this can cause a problem for you specifically as a CISO: 

#1 You’re taking responsibility when you use probability.

CISOs and cyber professionals who talk to the board or decision-makers about risk need to avoid taking responsibility for risk. When you tell the board that something ‘probably won’t happen’ the responsibility turns to you if they decide not to approve your budget or solution request – after all, you’re the professional with the background knowledge who said it was unlikely to happen! 

So, what SHOULD happen instead?

You quantify the complete financial exposure to the company in money terms of the current risks to your company. Then you quantify the full solution cost of each risk (or combination if you have solutions that cover multiple.) The BOARD decides whether they are happy to accept the financial exposure, or if they need to mitigate it.

The CISO doesn’t make that business decision, and they also don’t bear the responsibility if the threat happens.  

#2 How do you work out the probability on a Zero-Day Ransomware Exploit? 

Bad actors are smart, and constantly working to find new ways to attack systems. Using a probability approach is impossible here because you don’t know the likelihood of a bad actor exploiting a vulnerability that you don’t know about. And the damage, as we all know, from Ransomware for example, can be catastrophic on any company. Plus, it usually exploits user ‘vulnerabilities’ which you also can’t predict.

So, what SHOULD happen instead? 

The assumption needs to be that you WILL get hit. And when that happens, how protected are you as an organisation? What do you have in place to stop it? It’s not a matter of IF, it’s a matter of WHEN. Particularly the larger your company becomes. 

#3 You can’t work out the ‘probability’ of the human element.

We hear you naysayers, there are a lot of threats out there that you can definitely say are ‘more likely’ than others for certain industries. But any threat vector that involves the human element or has human vulnerability is not something you can work out the probability of. Period.

What if June from accounting is having an off day and doesn’t read the email before clicking and making a payment to the wrong account for hundreds of thousands of dollars? What if Michael from Marketing was up all night with the kids and opens the ransomware attachment?  How do you work out the probability of that in your calculations?  

So, what SHOULD happen instead? 

Just like we mentioned before, it’s not a matter of IF, it’s a matter of WHEN. You can’t work out the likelihood of humans, by nature we’re unpredictable. So why are you relying on that when looking at risks to the organisation? 

For CISOs, if you’re going to use probability or likelihood frameworks, you ‘probably’ aren’t going to last very long. In fact, you’ll probably last as long as it takes for your organisation to be hit, and for you to take the full brunt and responsibility for the fallout.