Counting on Quantitative Cyber Risk
By Paul Stokes
Everyone is talking about cybersecurity. Leaders with decades of experience at CEO, CFO and CRO level have seen it advance from a curious subset of IT to a board issue demanding their time and attention. Data security is a strategic concern, and data science is a necessary component to address it.
C-Suite executives have spent recent years sweating their way through reports detailing threats and vulnerabilities, incident response and threat hunting, cloud and endpoint security. Lightbulbs have started going off more recently as these beleaguered executives have made a breakthrough concerning all things security; it is just another form of company risk.
Now it is the security teams and service providers who are scrambling to adapt their outlooks. Those holding the purse strings and dictating company strategy are calling for security that can be measured in terms of risk and ROI. Determining risk is a quantitative task, and doing it right requires an overhaul in process to go from qualitative to quantitative analysis, and from analogue to automated assessment.
Bridging the gap
There is a considerable gulf between these latest demands echoing from the C-Suite and the reality of security offerings. Research from the UK’s Department for Culture, Media and Sport shows that the perceived importance of cyber risk has almost tripled in five years, but the expertise and technology needed to address cyber risk has not kept pace. This has created a demand for innovation that addresses cyber risk, which the market has still failed to meet.
The decision to define security as a business risk has put security on a more quantitative footing and accelerated the industry’s shift towards applying data science to security. Cyber risk management requires quantitative analysis that expresses cyber risk in business terms, and to do this effectively at enterprise scale requires applied data science. This approach allows us to calculate ROI for security spending and adjust these calculations using dynamic data.
This in turn means security teams must bridge the gap by adding the data science talent and commercial experience to express risk in business terms. Executives have correctly established that their time is best spent making business and financial decisions rather than technical ones. Naturally, creating this framework requires business, financial and technical expertise, wrapped up with security data science.
Adding data science and business responsibilities to the security team is a boon for the C-Suite and a headache for CISOs. Let’s take a look at how to make this process easier.
Tips for implementing cyber risk management
The knee-jerk reaction when determining a quantitative business target is to find out what the competition is doing and try to one-up them, or what the industry average is and try to meet it.
Every company has a different international footprint, IT infrastructure and risk appetite. Security is highly idiosyncratic, and therefore measuring risks and investment specific to the organization are more valuable than matching spending or any other external metric. Data science relies on bringing in recent and relevant data, and competitor benchmarks will not allow us to accurately measure the business risk of security posture and decisions.
It is important to take the time to find effective quantitative risk metrics rather than accessible ones. Cyber risk management requires a defined risk appetite and a continuously updated asset inventory, as well as an agreed framework for evaluating risk. These in turn will require a technology architecture to store data, as well as the data science talent required to analyze it. Once security leaders have established these in collaboration with their board and CRO, they can get to work building a framework of bespoke cyber risk metrics.
Deploy Data Science
While some readily available data models will inform cyber risk, getting truly insightful risk scoring requires iterating on multiple purpose-built models over an extended period. This requires data science talent and a commitment to medium-term targets by management and security teams.
Qualitative, one-off measurements of security posture can be set aside or scrapped entirely. Data science allows us to apply automated risk analysis based on continuous data, transforming company data into patterns of activity and clustering of potential risk. Qualitative decisions should inform how data models are built, but the process of measuring risk should be quantitative. This is central to cyber risk management.
The executives demanding cyber risk management are bringing the conversation back to business considerations, their area of expertise. Security teams implementing a cyber risk management approach need to ditch technical jargon, and brush up on their financial and risk vocabulary. Forget SIEM logs, TTP and DLP. Learn to describe value at risk, projected losses and ROI.