contact us

The Need for a Business- First Approach to Cyber-Risk Scoring

by Jan 17, 2019

The Need for a Business- First Approach to Cyber-Risk Scoring

Article written by: Mannie Romero (Executive Director – Office of the CISO, Optiv Inc), Barbie Bigelow (Senior Vice President and CIO, Jacobs Engineering Group), and Kalpesh Doshi (CISO, FIS)

Cybersecurity is no longer just an IT team function. So much of what a business does today depends on the technology and data systems the IT team is responsible for maintaining that decisions related to security and cyber-risk management have tremendous operational implications for the business. And, business managers who are driving digital transformation within organizations need to be actively involved in those decisions.

Cyber-risk scoring is a key part of vulnerability management. If business managers are to participate in vulnerability management decisions that affect their business units, risk assessments must use a business-first approach to risk scoring. That means measuring cyber-risk in terms of its cost and impact to the business. It also means that you need a cyber-risk scoring model that business leaders can effectively assess, something similar to a credit-score.

Given that every business has its vulnerabilities, what are the key factors you must consider when quantifying the business impact of a cyber-risk or vulnerability? The first step is knowing what you have. Some organizations have this data in their configuration management databases, others use spreadsheets. As Barbie Bigelow, senior VP and CIO at Jacobs Engineering, points out, “The critical factor in assessing cyber-risk is understanding the value and residence of your data. With this knowledge in hand, the entire team can collaborate on the protection of those assets.” Assigning a business criticality rating to these assets can insure that business leaders have a mechanism to “weigh-in” on the cyber-risk scoring model bringing the business component to the forefront.

It is this collaboration with business teams that makes it possible to put vulnerabilities into a business context. Kalpesh Doshi, CISO at FIS, says, “For any vulnerability, you have to ascertain first and foremost the impact of its exploitation actually occurring in the organization.” That includes looking at business costs such as reputation damage, fines for regulatory violations, and remediation costs.

These evaluations apply not only to a business’s internal systems but also to third-party systems or services the business uses. In addition, it’s not just the obvious vulnerabilities that matter. As Mannie Romero, CISO at Optiv Security Inc., points out, “Don’t ignore the ‘black-swan’ events—those low-probability/high-impact cyber- risks. Risk management processes and models have historically not managed these risks well; in fact, it is typically these events that change the course of history and enterprises.”

Putting all these risks into a business context, and then scoring them based on business terms are challenging. That’s why Barbie Bigelow advises using a risk scoring framework “that connects business value to technical systems.” There are many frameworks to choose from, including the National Institute of Standards and Technology Cybersecurity Framework, the ISO/IEC 27001 family of information security management systems, the Capability Maturity Model Cybermaturity Platform, the Payment Card Industry Data Security Standard, and the Center for Internet Security’s CIS Controls. Several of these frameworks include methods for business-centric risk scoring, but as Kalpesh Doshi notes, “The irony is that we do not have a standardized benchmark for cyber- risk scoring. Depending on the framework you chose, your approach to risk management will differ in terms of representation.” Mannie Romero prefers the Factor Analysis of Information Risk (FAIR) framework. “FAIR takes a business-first approach to cyber and operational risk,” he says. “In my opinion, this model does a good job of comprehensively identifying threats, vulnerabilities, and losses.”

As businesses come to depend more heavily on digital platforms, a business-first approach to cyber-risk scoring will evolve into the cornerstone of an effective security strategy because disruption of digital systems often has a direct impact on essential business operations. Mannie Romero says, “The very nature of a digitally transformed business is that business, technology, and security all come together. There is no daylight between these three endeavors, so cyberthreats translate directly into business threats for these organizations.” Building a business-first approach to cyber-risk scoring can bring these teams together to drive positive business results – something every executive team and board of directors wants to see.

Key Points:

  1. For business managers to participate in vulnerability management decisions that impact their business units, risk assessments must measure cyber risk in terms of its cost and impact to the business.
  2. Assessing cyber risks in a business context and scoring them in business terms is often best done with the help of a risk scoring framework that connects business value to technical systems.