Methods for Quantifying Technology Risk
Methods for Quantifying Technology Risk
Using Technology Risk Metrics to Make Business Decisions
Article written by: Eric Vanderburg (Vice President, Cybersecurity, TCDI), Koushik Subramanian (CISO – UI Labs and Director Of Manufacturing Cybersecurity – DMDII, UI LABS), Vito Sardanopoli (Principal and Owner, Vantage CyberRisk Partners, LLC), and Martin Mazor (Senior Vice President and CISO, Entertainment Partners)
In the previous article (Quantifying Enterprise Technology Risk — PART 1), we discussed different methods for quantifying technology risk. Although some frameworks and cyber-risk assessment methods are highly technical, there is a growing interest in measuring cyber risk in terms of its business impact. The goal is to quantify cyber risk in a way that can be viewed and evaluated as another form of business risk. Cyber-risk metrics must be meaningful to business decision-makers and operations managers who are making business decisions with cyber risk in mind.
But how do businesses apply risk metrics when they are making decisions? Most people, especially security managers, think about cyber-risk metrics as a tool for prioritizing security spending and optimizing a security practice, and of course that is true. But there are two ways to mitigate cyber risk. One is to invest in solutions that strengthen the security program. Another is to curtail risky operations.
It’s that second option, curtailing risky operations, that really puts cyber risk in the same ballpark as other kinds of business risk. That’s because it’s not just about curtailing risky operations. Every business operation has risk associated with it. If a business considers launching a new process, product, or service, it must weigh the risks to its investment. What will this new thing cost? How long will it take to turn a profit? How does it impact our current business? Will our customers embrace it or be offended by it? How do the new systems we need to support it change our cyber-risk exposure, and what will it cost to mitigate that risk? What is our overall risk if we move in this new direction? By answering questions like these, we begin to see how cyber risk has become an integral part of the strategic- risk discussion.
From a cybersecurity-management perspective, good cyber-risk metrics play an essential role in shaping the security program. Eric Vanderburg, vice president of cybersecurity at TCDI, explains, “Cyber-risk assessments help businesses prioritize mitigation. Businesses typically prioritize remediation of high-risk items that require a low cost or effort. By assessing risks and costs, businesses can identify which ones will provide the best cost/benefit. This is often combined with information on how interrelated risks can be addressed together for cost savings. Most companies have a limited budget for cybersecurity, so they need to plan carefully to achieve the most with what is available.”
Vito Sardanopoli, chief information security officer (CISO) at Atlantic Health System, points out how cyber-risk metrics can help refine and improve a security practice with highly targeted spending. “Cyber-risk assessments that delve into specific security domains such as data protection, identity management, vulnerability management, threat intelligence, and others, serve as a valuable resource to help improve decision-making pertaining to IT and/or security operations by focusing on specific cybersecurity risks,” he says. “That, combined with information about what is happening in our environment, the kind of information we get from UEBA [User and Entity Behavioral Analytics] tools, for example, gives additional insights to improve how we protect our environment.”
Koushik Subramanian, CISO at UI LABS and director of manufacturing cybersecurity, recognizes the broader value of good cyber-risk metrics. “Businesses that have the tools to calculate their cyber risk are the ones that can make better operational decisions, because the data is clear. Many businesses only have tools to identify cyber risk, but they lack the knowledge to turn that into dollars. Making operational decisions requires clean and consistent data, and it all starts with a consistent risk framework and scoring methodology.”
And Martin Mazor, senior vice president and CISO at Entertainment Partners, is clearly talking about how good cyber-risk calculations play a strategic role at the highest level of business decision-making when he says, “In my experience, embedding identified cyber risks into board-level strategies aligns the goals of the organization to risks. There tends to be a separation in some organizations of the security program and other programs, such as operational and HR risk for instance. However, cyber risk needs to be at the front of the discussion, so the business leaders can make proper decisions. A good example is in mergers, acquisitions, and divestures [MAD]. Understanding cyber risks at the onset ensures that overall risks are accurately considered when taking on these kinds of programs.”
- Many businesses have tools to identify cyber risk, but they lack the knowledge to turn that into dollars. Making operational decisions requires clean and consistent data, and it all starts with a consistent risk framework and scoring methodology.
- Organizations often separate the security program and other programs, such as operational and HR risk for instance. However, cyber risk needs to be at the front of the discussion, so that business leaders can make proper decisions.