Shifting cyber risk measurement from red, yellow, green to financially-quantified

The Cyber Traffic Light…If Only It Were That Easy. Red means Stop. Yellow means Caution. Green means Go.

To millions of commuters, these definitions are obvious. I wish it were this simple in Cybersecurity, but it’s just not. Yet there are still a number of companies that are attempting to direct the traffic of their cyber messages to their Board of Directors using Red, Yellow, Green. If this is you, please heed this warning: a major traffic accident is about to happen!

Every security leader I talk to is looking to better communicate security to the Board. CISOs feel pestered by incessant questions such as, “What are the most important attacks we should worry about?”, “Are we spending enough on security?”, “Are we spending it in the right place? How do you know?”, “How do we compare to our peers?” CISOs feel pestered not because the questions are unfair. Rather, they feel pestered because the questions cannot be answered using existing scale-based approaches.

And yet, the R/Y/G traffic light remains the prevalent tool security teams use to appeal to the Board by saying things like “I need X amount of money to turn those Reds into Greens.” However, I also heard one conference presenter recently state a caveat tied to this approach: “When I am presenting R/Y/G to my Board I get interrupted every 10 minutes or so to remind them of the definition of R/Y/G.”

What is wrong with this picture? How can any company make an educated, data-driven decision of where to invest their resources based on this? How can you compare to peers when each company, or even each department, will define R/Y/G and scores 1-5 completely differently? How do you know how much to invest and where that investment is best needed to reduce these risks?

At the recent FS-ISAC Annual Summit, Robert Herjavec ended his keynote by saying, “I spend 50-60% of my time talking to Boards and they always ask “How come we’re spending billions of dollars on the security industry, yet are still seeing so many breaches?” Our industry needs to find a way to empirically measure risk against ourselves internally and against our peers. The scorecards and heat maps and spreadsheets we’re using today are just…meh.”

We are never going to be able to stop 100% of attacks. What businesses CAN do is establish a risk threshold of the amount of loss they are willing to accept to their critical business processes. “Loss” cannot be defined by R/Y/G or 1-5, but rather it should be defined financially.

The Board knows the value of a dollar and every business defines a dollar the same way. By shifting the conversation from theoretical heat maps and scorecards to empirically-quantified, financially-driven security decisions, CISOs can communicate and engage the Board with a clear understanding of the significance and amount of risk the business faces day in and day out. By no means am I saying this is easy, but it is possible and the data already exists to make the change today.

Interested in more blog posts like this? Read out next blog about Why The CFO And CISO Need To Get Along.