contact us

Executive Level Cyber-Risk Metrics the Experts Like Most

by | Apr 4, 2019

Executive Level Cyber-Risk Metrics the Experts Like Most

As cyber risk has taken a front row seat alongside other forms of business risk, executives need to see cyber-risk metrics that tie to business impact. This helps them consider cyber risk as they make strategic business decisions. Given that most executive-level decision-makers are not cybersecurity experts, and often lack a technology background, what is the best way to communication cyber risk to business leaders?

To find out, we reached out to business and security leaders in several different industries and asked them to tell us about their favorite cyber-risk metric that helps explain the security risk to senior executives or board members. We also asked why those metrics are important to senior people who are weighing decisions of strategic business significance and may be considering cyber risk alongside other business risks. Here is what they had to say:

Richard Holmes, senior vice president and chief information security officer (CISO), Union Pacific Railroad: My favorite measure is the loss-exceedance curve that depicts economic impact based on the sum of probabilities of all cyber events. It is the first time I have been able to put the risks in a language that is understood by the audience. They are well-versed in the different investment choices based on forecasted returns. This is just an implementation of those concepts. Our approach is based on the work of Doug Hubbard and his book How to Measure Anything.

Marcos Bueno, head of media technology, Vox Media, Inc.: “Revenue risk” is a metric I have been leaning on when planning security initiatives. By taking the time to dive into the business operations of various units you can identify areas for investment that can protect the company from loss. This metric is helpful since it speaks to the core business from a financial perspective, which creates a clearer understanding with C-Suite when seeking project funding.

Roderick Currie, information systems security manager, Boeing; Automotive cybersecurity researcher: I’m a big fan of emphasizing the human element when it comes to cyber risk. I do firmly believe that a company’s biggest risk is its people, including its executives. In fact, a company’s executives are often the most likely to be targeted by attacks such as spear-phishing or “whaling.”

If a company has an internal security-awareness program that includes routine phishing assessments, I find that a metric detailing what percentage of employees clicked on a phony malicious email can be very powerful to the C-Suite.

Another tactic that really hits home for the executives is to dig up recent articles detailing how the CEO of XYZ Corporation was duped by nefarious actors to the tune of millions in damages. This happens all too often.

Carol Roberts, senior information systems security specialist, at a large education management company: I’m of the mind that everything has to be presented as “What are we at risk of losing?” immediately followed by, “What vulnerabilities are in the system presently,” and then, “What detection methods do we have to catch any activities that might be a result of those known and unknown vulnerabilities?”

C-levels need to be told what items are at risk, and what steps we’re taking to mitigate those threats. For example, if I know there are 3,000 vulnerabilities that still haven’t been patched, I can report the steady decrease month over month, and what that means for company security.

With any security program, risk must be evaluated against the cost of investing in new tools and technologies that support reducing risk. According to Gartner,

Pull Quotes

  • “My favorite measure is the loss-exceedance curve that depicts economic impact based on the sum of probabilities of all cyber events.”
  • “‘Revenue risk’ is a metric I have been leaning on when planning security initiatives.”

Key Points

  • C-levels need to be told what they are at risk of losing, what vulnerabilities are in the system presently, and what is being done to catch any activities that might be a result of those known and unknown vulnerabilities.
  • By taking the time to dive into the business operations of various units you can identify areas for investment that can protect the company from loss.