I recently spoke to two CFOs about how cyber risk quantification (CRQ), a method used to measure cyber risk in financial terms, is shifting business conversations around cybersecurity posture. Both business leaders shared their frustration: it is a huge challenge for security leaders to find common language with business stakeholders to convey cyber risk in terms tied to business outcomes. The easiest way for security leaders to find common language is to translate security risk into dollar terms (CFO-speak). Security leaders can do this by using a CRQ solution.
What is CRQ and why is it important?
CRQ is a data-driven approach to quantifying an organization’s cybersecurity posture in dollar terms. With attack surfaces expanding, CRQ helps security leaders and their stakeholders make action-oriented decisions so they can protect their most critical assets and reduce the most threatening risks. Ideally a CRQ solution allows decision makers to easily trace financial risks to the underlying assets and vulnerabilities so the risk can be quickly remediated.
CRQ helps security leaders to align the cyber program with the business goals of CFOs and other stakeholders, such as reducing costs and creating more value for the organization. Quantifying cyber risk can benefit these key decision-makers in various ways:
- Security leaders can sort through the millions of (often contradictory) cybersecurity signals from various tools and gain insights into the overall cyber risk and the critical drivers of that risk.
- CFOs and CEOs can understand the potential financial impact of various cyber incident scenarios on the business.
- Board members and senior management can decide if the level of residual risk is acceptable, or if the organization needs to invest more in cybersecurity programs.
- Business owners can appreciate the levels of cyber risk in the business units that they are responsible for, understand the various cyber risk management options available to them, and can ultimately own and manage cyber risk much better.
- Everyone can rationalize the ROI of cyber security investments and ensure that money is being used for the right tools and resources.
Three desired outcomes stood out in my conversations with the two CFOs.
- “I want to see business metrics.”
- “I want to see clear and structured reports.”
- “I want real-time insights.”
The case for business metrics
There are many metrics you can present to your CFO to tell your cyber security story but understanding what information to remove is just as valuable as knowing what to include. Imagine you are a sculptor starting with a large piece of stone, what do you chip away to create your masterpiece?
It can be tempting for security leaders to use operational metrics when speaking to executives and board members about cyber security risks. But while a list of software vulnerabilities and detection metrics are useful to manage the performance of your security teams to mitigate cyber threats, they don’t help contextualize the monetary impact a cyber security event will have on a business for executives. As one CFO I spoke to said: “the metrics I see need to drive business-oriented conversations around what we are doing to protect our organization, how we are doing it and what we need to be doing differently to stay protected.” Instead, reporting on cyber risk in dollars provides a framework to tie the degree of cyber risk to financial impact. Executives and board members can prioritize security projects, rationalize spending and track the effectiveness of their organization’s cybersecurity program.
Your CFO will understand the impact of your cyber security program more readily if the metrics you present outline:
- Your financial risk exposure.
- The cost of a breach by business unit, geography or asset type.
- The progress you’ve made reducing risk in your organization in monetary terms.
- The return on investment from your current and future investments in security tools in terms of reduced risk measured in dollars, or other currency.
Before walking into a meeting with your CFO, look at your cyber risk metrics and ask yourself: “how much of this information is relevant to the CFO?” If your metric doesn’t have business implications behind it or isn’t actionable, it should be removed.
The argument for clear and structured reports
As a security leader your job is to grab the CFOs’ attention by telling a cyber risk story that resonates with them. Senior executives are swamped with reports showing operational metrics and key performance indicators. Often, these risk reports can be confusing to understand and provide too much detail. Moreover, they can become overloaded with terms that are technical and are not easily digestible for someone who isn’t a cyber security expert. As one CFO noted: “If a report is too simple it makes me question its accuracy, and if it’s too technical then it’s difficult to comprehend. I want information that is a blend of both so it’s memorable, easy to retain and tells a story about my organization’s cyber risk posture”. To add narrative content to your report, start by outlining the story you’d like to tell the CFO about your organization’s cyber risk, and then populate the data to add context.
Security leaders need to provide well-organized and accurate reports that clearly relay the security posture of an organization from a financial perspective. Manually compiled spreadsheets are error-prone and complex. Instead, use a CRQ solution to consistently report on a subset of key metrics with dashboards that support your business storytelling. For example, you can use Balbix Cyber Risk Quantification (Balbix CRQ) to inform your CFO and other leaders that the business they recently acquired has a breach risk of $10M, that much of the risk is related to the cloud service that powers the business, and that the likelihood of a breach is high given there are several exploited vulnerabilities that directly impact these cloud assets.
The value of real-time insights
Generally speaking, your CFO needs to be able to provide real-time management support. But to do that, there needs to be data readily available that facilitates real-time business decisions. This is true when it comes to cyber risk. The idea is to give CFOs the right information when they need it: “I am happy to see big picture information every quarter, but I want to feel confident that in the case of a cyber threat the metrics in front of me are accurate, in real-time and will help our organization mitigate risks.”
Outdated or conflicting information creates a false sense of security and puts your organization at risk of a cyber breach given that new vulnerabilities and security issues emerge at a rapid rate. A CRQ solution can help your security team produce real-time insights and allow your CFO to make informed and strategic cyber risk decisions quickly and easily. Presenting up-to-date data also reassures your senior executives and board members that you are continuously tracking your organization’s security posture.
How can Balbix help?
Balbix CRQ allows you to align CFO, other senior leaders, your board and your operational teams through a common business language and action-oriented dashboards. Balbix CRQ also allows decision makers to easily trace financial risks to the underlying assets and vulnerabilities so that risks can be quickly remediated. As a result, everyone can focus on protecting your most critical assets and reducing the most threatening cyber risks.
To see how the Balbix CRQ can help your organization quantify its cyber risk, please download our white paper.