To Quantify Cyber Risk, Assess Potential Loss Events

Nehemiah Security partnered with MightyGuides to interview seven industry experts with the mission of advancing the risk management conversation among cyber professionals. Each interviewee was posed the question, “If your friend was put in charge of measuring cyber risk at their company, what advice would you give them?”

Vicky Ames, Director of Information Security at Marriott International, says it is important for CISOs to shift a greater focus towards the business, how it operates, and its regulatory environment. “Security should be the group that is enabling business, and you can’t enable a business until you understand the nature of that business,” she explains. “So understand your revenue streams and understand what is critical up at that level so you can tie that back to what you can deliver. That way, you understand what will be most important from an organizational risk perspective.” Ames and her team start with a top-down approach when assessing environment risks. The goal is to understand the priorities and concerns of business executives. From there, the security team takes a more tactical look in these areas to answer the question, “What’s my dollar exposure here?”

I completely agree with Vicky that cyber needs to be a business enabler. Cybersecurity has a reputation of blocking or suffocating organizational initiatives. Yet, the same pull that security has to hinder these areas can be used to fuel and empower business initiatives. To do so, the cybersecurity team must have a strong grasp of the business they secure. For instance, a security professional should be able to identify that while a business function may not generate revenue, there are still other business impacts at risk from weak security. A data breach in the HR system is a common and prime example of this. Or business disruption to supply lines may breach vendor contracts, causing legal and financial implications.

As Ames notes above, security leaders need to monitor and address these business concerns in a language organization can understand—dollars. This is no simple task. Many security teams dive in headfirst and get lost in the weeds. Starting this change from the bottom-up is a grind, one that doesn’t get far. A successful program starts from the top, with a CISO that understands the business proportionately to cyber and can communicate, in financial terms, how security investment underpin business operations.

Key Points:

1) A risk assessment methodology that analyzes loss events in terms of dollar amounts can help quantify the risks a business faces. A financial group within the company can help show if a security expenditure is going to have a direct positive impact on shareholder value.

2) Dollar figures provide a common point of reference for security professionals and executives when conducting risk assessments.

Interested in reading more blog responses to our ebook? Check out our reflection on Surinder Lall’s entry here.