Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

11/7/2019
02:00 PM
Andrew Morrison
Andrew Morrison
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

To Prove Cybersecurity's Worth, Create a Cyber Balance Sheet

How tying and measuring security investments to business impacts can elevate executives' understanding and commitment to cyber-risk reduction.

The definition of success and the accurate measurement of the indicators of that success are business imperatives. In some fields, they are easily recognized and fairly simple to measure — for example, measuring sales volumes, return on investment (ROI), or customer satisfaction survey results.

However, in fields such as preventive medicine or aviation safety — where success is measured by diseases avoided or disasters averted — executives face the challenge of proving a negative to determine success. Cybersecurity is a prime example of this, with security teams struggling to succinctly demonstrate the ROI from not getting hacked last month or from not losing valuable customer data from the breach that never happened.

Proving the "crisis averted" makes it hard to demonstrate value in a way that traditional corporate executives can understand. However, given how organizations are prioritizing a number of digital transformation initiatives to increase efficiencies and simplify environments in both scope and proximity to core business operations, the mandate for doing so is increasingly urgent. The way to drive the value proposition of cyber beyond just the walls of the IT office and onto the value assurance and risk management agendas of top organizational leaders is by framing the data into a format they can quickly process. CISOs can do this by tying security investments to business impacts through a cyber balance sheet.

The resulting impact of a cyber incident can be widespread and long lasting. Therefore, investments in cyber-risk solutions should be substantiated and correlated to these business impacts. And, the cost estimation of these impacts should evolve to meet today's reality. Historical calculations (such as server downtime) and recovery time objectives are no longer enough.

Executives need to be able to consume the complexities of cyber-risk in business terms and receive repeatable, meaningful metrics upon which to base risk decisions. Often, the information being provided by CISOs and security teams to update management on their cyber exposure is highly complex and generated in a technical lexicon. This thwarts the ability of management to truly understand much less calculate value regarding cyber-risk, and ultimately puts them at a disadvantage regarding their ability to effectively prioritize, govern, and execute on cyber programs that can have operational, financial, and reputational impacts.

Let's dig into the proposed cyber balance sheet. Balance sheets, and financial statements in general, exist to provide a broad view of the financial performance of an entity. They are based on a standard framework that takes vast amounts of data from many different sources and systems and consolidates that information down to a cohesive view of financial performance that is easily understood by those who consume it. The demands of cyber-risk reporting are analogous; large amounts of technical risk data need to be consumed from many systems and synthesized down to easily understandable, meaningful business risk terms to allow a variety of stakeholders to make decisions.

Using financial modeling, companies can adopt approaches for estimating both the direct and hidden intangible costs associated with cyber-risk and express those risks in traditional financial terms. These models should be based on industry-accepted frameworks (e.g., FAIR, NIST, etc.). A cyber balance sheet incorporates these financial models and related tools to gauge the impact differential between, say, two hours of downtime for an online merchant website versus two hours of downtown for a complex manufacturing line. While the former could mean lost customer data, the latter could cause a vast ripple effect on production and even shut down your just-in-time global supply chain because expensive infrastructure was sabotaged and destroyed.

Organizational Steps Toward More Cyber Visibility and Investment
Against this backdrop, cyber-risk should be structured and measured beyond mere threats, vulnerabilities, and probability — and into the realm of fully assessing the nature and severity of risks; the "materiality" of threats for prioritizing remediation; and the decision support for both tactical judgments and larger strategic business decisions that affect the whole company.

Here are two examples that showcase the value of security in ways that executives understand and care about.

Demonstrating how a needed software or workflow improvement will solve not just an immediate security problem in one department but also solve everyone's problem in numerous departments if the approach is adopted organizationwide would likely be well received and offer a more federated approach to governance.

A government agency CIO could show how new FedRAMP security templates to inherit data from trusted multitenant cloud-based identity access management platforms cannot just plug security holes and reduce reporting violations but also boot efficiencies by reducing redundant compliance validation on applicants that use such services.

If leadership views the CISOs and their teams as more operational and focused only on technology or information risks, the cyber team could be treated as less of a strategic asset and will become more of a strategic adviser. Ultimately, tying security investments to business impacts, and measuring those effects with a cyber balance sheet approach will help elevate cyber-risk understanding and commitment for executives and boards.

Related Content:

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."

Andrew Morrison is a principal in Deloitte & Touche LLP's Cyber Risk Services practice and specializes in assisting clients with the risk associated with cyber threats. Andrew currently serves as the US leader of Deloitte's Cyber Strategy, Defense, and Response practice. In ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.