The risk of a data breach with significant financial consequences and damage to brand equity is the fear of most large publicly traded companies. But many smaller businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded and well-defined structures for their data stores. This means that every strategic marketing plan and every company’s overall security strategy should incorporate a data breach communication plan. And to articulate this, there needs to be an understanding of the risk profile of the organization. In a large organization, risk, governance, and compliance professionals are frequently called upon to present relevant risk profile information in an engaging way. For smaller companies, this may mean bringing in third-party partners and sharing plans with them. The challenge is that the understanding or the threat landscape and the risk exposure/risk position of the company falls on two parts of the business. The Board is responsible for the exposure and financial remediation of cyber risk, whereas the IT management is more operationally responsible for prioritization of actions and remedies. Communication must involve two parties. One party needs to understand the financial and strategic implications, and the other the operational activities with the ability to drill down to understand resource allocation across the business.
Trends in risk profiling and communication of risk in the business
A risk profile is a summary that provides financial impact estimates for all the risks associated with a business unit or activity. Risk profiles are documented and visualized using different methods but are typically based on estimates for the probability and impact of a list of identified risks. There is a recent trend towards the use of dashboards to articulate a risk profile in a visual manner. Visualization can highlight more than words and can serve to help organizational stakeholders spot trends and make revenue-impacting decisions with clarity and speed. Risk managers try many ways to visually capture reliable and telling data as well as depict such data with images that their colleagues, executives or board members — despite their varying roles and backgrounds — can easily understand. Data visualization exposes information and clarifies complex concepts, which allow quicker decision making. Simply put, it is easier to understand data when presented in a graphical format. This is especially true when the decision is more complex. But the best data visualization tools will allow you to efficiently and independently query the information you’re seeking and let receive customized alerts so you can make timely and informed decisions. But as a November 2018 McKinsey article pointed out, structuring of risk communication is usually poorly done. Boards and committees are swamped with reports, including dozens of key performance indicators and key risk indicators (KRIs) that are inconsistent and usually involve too high of levels of detail. Research from Osterman Research indicates that most IT and security executives use manually compiled spreadsheets to report cyber risk data to their boards; unsurprisingly, many board members are dissatisfied with the reports they receive.
What do actionable metrics look like? Making risk visual
What do you measure to show what “good” looks like when it comes to cybersecurity? Experts suggest the following factors:
- Exposure and risk position for the overall firm, and then by segmentation of business unit, location or technological structure (network, cloud, node, etc)
- Number or frequency of attack vectors exposed in the firm by the business unit
- Allocation of resources in relation to the financial impact of the assessed risk
Deloitte suggested in 2018 that the future direction was to create benchmarks such as:
- Maturity score by NIST domain
- Cybersecurity spending as a percentage of IT spending, as well as per FTE
- Number of cyber risk FTEs as a percentage of information security and total IT personnel
The point I want to make is that the important aspect of any of these metrics is to make them both visual and actionable. Dashboards that create an overview of the risk portfolio exist, but they do not always tie to specific financial impacts to the business. There are many newer tools out there that allow security teams to visualize incident data and spot patterns and assess risks to their facilities and employees alike. But these need to be tied back to the strategy of the firm and the financial impact of a breach.
Summary
For both regulatory and financial reasons, Board-level executives need to have cyber risk information for business decisions. This means having access to drill-down capabilities that show gap analyses from the category to the control level for various frameworks or standards. This might include either the NIST Cybersecurity Framework, CIS Critical Security Controls, ISO27002 or various privacy standards such as the NIST Privacy Framework and the emerging California Consumer Privacy Act (CCPA). Dashboards that tie to these frameworks do exist, but they need to be able to be used for communication of actionable activities and resource allocation, not just as a reporting mechanism for regulatory bodies and shareholders.
Author Profile: Dr. Alea Fairchild, Principal Advisor, Technology Enablement , Ecosystm. Dr. Alea Fairchild is a technology commentator and infrastructure specialist, Alea covers the convergence of technology in the cloud, mobile and social spaces. She has a passion for the design and optimisation of physical spaces, exploring how technology can enhance user experiences. Alea helps global enterprises profit from digital process redesign. Outside of her work with Ecosystm, Alea is a Research Fellow at The Constantia Institute, which is a Brussels-based technology policy think-tank, focusing on innovation and technological advances and their impact on industry and society. She also teaches graduate courses in technology marketing at KU Leuven in Belgium. Alea received her Doctorate in Applied Economics from Univ. Hasselt in Belgium based on her research in the area of banking and technology. She also holds a Bachelor’s degree in Business Management and Marketing from Cornell University. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
