Quantifying Enterprise Technology Risk
Quantifying Enterprise Technology Risk
Methods for Quantifying Technology Risk
Article written by: Eric Vanderburg (Vice President, Cybersecurity, TCDI), Koushik Subramanian (CISO – UI Labs and Director Of Manufacturing Cybersecurity – DMDII, UI LABS), Vito Sardanopoli (Principal and Owner, Vantage CyberRisk Partners, LLC), Martin Mazor (Senior Vice President and CISO, Entertainment Partners), and Makesha Caldwell (Information Security Manager, Independent Consultant)
Estimating business risk, and making business decisions based on risk, is a traditional function of senior management. However, in the age of digital business, technology risk increasingly dominates that business-risk discussion. One sign of this is the amount of time senior executives and board members spend discussing cyber risk. Many businesses are moving cyber-risk management out of the IT department and into the overall enterprise risk management (ERM) group.
Regardless of who is responsible for managing the IT component of business risk, cyber risk continues to be a technical problem with technical solutions. To manage it, vulnerabilities must be identified, their impacts understood in business terms, and decisions must be made about risk mitigation. This involves quantifying cyber risk in terms that business decision-makers understand. But how do you quantify technology risk in ways that are meaningful for operations managers and decision-makers?
Most cyber-risk analysts use two essential tools: one or more cybersecurity frameworks, and a metric associated with those frameworks. There are many frameworks to choose from, and many tools to help risk scoring. Common frameworks include the Open Web Application Security Project (OWASP); various National Institute of Standards and Technology (NIST) and International Organization for Standardization (ISO) standards; Common Vulnerability Scoring System (CVSS), which provides metrics for vulnerability risk; and Factor Analysis of Information Risk (FAIR), which takes more of a business-impact approach to vulnerability scoring.
Vito Sardanopoli, chief information security officer (CISO) at Atlantic Health System, explains his approach. “I have successfully applied frameworks such as COBIT [from ISACA] and IT Score [from Gartner] to help develop an overall risk score based on the current capabilities of our security program. This helps us determine and prioritize risks associated with our security program and the enterprise overall. We have also found that security-risk-scoring tools such as BitSight are helpful. While these tools are not completely comprehensive, they do calculate a meaningful score based on real cyber-risk factors facing your organization. They also give us a way to determine how our organization’s risk compares to other organizations both within and outside our industry vertical.”
Koushik Subramanian, CISO at UI LABS and director of manufacturing cybersecurity, uses a specialized tool his organization helped develop. “DMDII [Digital Manufacturing and Design Innovation Institute] has partnered with Cyberpoint to create a tool called CyVAR,” he relates. “CyVar models attacks, calculates a business’s overall value, and provides a clean prioritized list of where organizations can get the best bang for their buck. It is currently mapped to the NIST 800-171 framework, but the tool is adaptable to other popular frameworks such as NIST CSF Manufacturing Profile, and ISO 27001.”
Makesha Caldwell, information security consultant, favors the FAIR, methodology, saying FAIR provides a quantitative approach that is useful in reaching sound risk-mitigation decisions to meet the organization’s overall strategic goals. The need to align cybersecurity to the broader business strategy is an important consideration. Martin Mazor, senior vice president and CISO at Entertainment Partners, points out the importance of scoring cyber risk not only to optimize a security program, but really to see that as part of overall corporate risk. “We use a hybrid approach for defining and scoring cyber risks,” he says. “We use the key tenets in the Factor Analysis of Information Risk [FAIR] and the Capability Maturity Model Integration[CMMI]. The purpose of using both of these frameworks is to define true corporate risks and value along with a measurement model that our key executives and the board can easily understand against other business units. If we just used cyber-risk scoring alone, the message tends to get lost when comparing it to other business functions. By combining both we are able to identify real risks and the overall maturity of the security program with business goals.”
Eric Vanderburg, vice president of cybersecurity at TCDI, agrees, saying that risk scoring must look at the broader business impact and consider dependencies throughout the organization. It should also use simple metrics. “A business-impact assessment [BIA] is the place to go for quantifying cyber risk and its impact on the business,” he explains. “As such, the BIA takes a very business-oriented view, starting with tangible elements of the business such as assets and business processes. A company then assigns impact ratings to these processes and assets. These can be low, medium, high ratings, or a bounded scale such as a 10-point scale. I recommend a numeric scale because it is easier to combine and aggregate ratings. Dependencies are then mapped out so that the organization can identify the impact of a disruption in a specific area. For example, if the database server for the customer service portal were unavailable, this would impact the portal and all the portal processes as well as processes that interface with the portal such as elements of a ticketing system, service metrics, and so forth. Threats to the business can now be mapped against the business elements they target to determine the business impact.”
The goal is to quantify cyber risk so that it can be treated as another form of business risk. For cyber-risk metrics to make a useful contribution to the business-risk discussion, the metrics must be meaningful to business decision-makers and operations managers in their business contexts.
- To manage cyber risk, vulnerabilities must be identified, their impacts understood in business terms, and decisions must be made about risk mitigation. This involves quantifying cyber risk in terms that business decision makers understand.
- Most cyber risk analysts use two essential tools: one or more cybersecurity frameworks, and a metric associated with those frameworks.