Bridging the Gap Between Security and the Business: A New Approach to Business Risk Quantification

Editor’s note: The following is a sponsored blog post from SafeBreach.

In the security arena, today’s teams have to navigate significant layers of complexity, contending with too many different standards and too many disparate technologies. When we talk about security, we have a lot of buzzwords, catchphrases, and, of course, acronyms, which too often serve to compound the confusion. Teams are tasked with combating threats, while operating in a world of BCPs (business continuity plans), DRM (digital risk management), ITRM (IT risk management), KRIs (key risk indicators), and so much more.

This proliferation of terminology infers a broader challenge: the difficulty in getting teams across the organization to speak about risk using the same language. Part of the disconnect stems from the inherently differing responsibilities and priorities at the boardroom level. For example:

• CISOs are traditionally focused on communicating about security risks and gaining the financial and operational support needed to address them.
• CIOs are responsible for translating security and technology views for the business and for prioritizing and justifying overall technology spending.
• CFOs are responsible for managing the overall organizational spend and ensuring that it is in accordance with the target set by the CEO and the board.
• The CEO and board of directors need to understand how security risks affect the organization, and make high-level resource allocation decisions, while focusing on optimizing business performance and results.

The reality is that too often there’s a fundamental gap between the security strategy and the business that conspires against the success of each of these roles. These different teams have unique concerns:

• Security teams are focused on these questions:
  • Do we have the right security controls?
  • Are our existing security investments effective?
  • Am I protected against the latest threats?
  • What are our main security gaps?
• Business leadership is focused on these questions:
  • What’s my exposure in financial terms?
  • Are our technology investments supporting our business goals?
  • How can we further reduce risk to the business?
  • Where should I invest to maximize my ROI?
  • How do we reduce costs?

When these different teams aren’t aligned, there’s a fundamental lack of clarity around risk. Lacking visibility, the executives that make critical decisions around security tactics and investments aren’t getting the insights into risk that they need to choose wisely. When business goals and priorities, budget allocation, and security controls aren’t optimized, the bottom-line impacts can be significant.

CISO Imperative: Business Alignment and Value Delivery
Particularly for the CISO, focusing on security without ensuring business alignment will be a recipe for failure. Put another way, those CISOs that focus solely on security, and ignore the gap that persists with the business, will not maintain their seat at the table for very long.

Consider that, according to Gartner research, by 2023, 30% of CISOs’ effectiveness will be directly measured on their ability to create value for the business. If this is accurate, and if the expectations and criteria continue to evolve, business alignment will only get more critical. To close the gap, CISOs need to get answers to the following questions:

• What are my business processes?
• What is the business value of each process?
• How is the technology stack mapped to business processes?
• Which security controls support that stack?
• How do I quantify security risks in business terms?

The Solution: A New Approach to Risk Quantification
To gain authoritative answers, particularly to the final question, teams need to establish a model for cyber risk quantification (CRQ) within the enterprise. Through CRQ, teams across the organization can establish alignment around the most critical risks, and optimally align investments, allocations, and resources around those risks.

Ultimately, CISOs want to move to where business risk reporting is available and generated automatically that offers actionable insights and intelligence around risk scenarios, including specific threats, risks facing specific groups or business units, and risks specific assets are exposed to. That said, many organizations will face significant challenges in building a process to continuously identify risks to the organization because it involves different stakeholders and cross-functional collaboration.

So where should an organization start? One approach would be to “start simple” by looking at the relative importance of high-level entities, business units, and assets, and defining the high-level threat scenarios they face. This alone can generate tons of value and insights for the business level to benefit from. Then the security organization can decide at what pace, and what level of detail to develop the model.

While establishing unified visibility is key, it is also critical to understand the various levels of visibility that different teams require. Think about the visibility you want when you’re flying. You want to be able to look out the window and see your progress, and ideally, your flight will offer those interactive maps that show the plane’s location. Then think about being the pilot on that plane, and the detailed dashboard you’d need to get the plane to your destination.

CRQ Overview
At a high level, CRQ can be viewed as a simple calculation: impact + likelihood = risk. Here is our recommendation on how organizations should consider defining these different aspects:

• Impact. To establish impact, it is important to determine the value of a business entity. Ultimately, this yields a concrete view of the entity’s “crown jewels,” the critical data assets, and locations that must be protected. Impact and value can initially be rated and measured on a scale of high, medium and low relative risk to the business, or using a more complex model that assigns actual monetary values to risk to the business, which is the ultimate end goal for a more mature organization.
• Likelihood. Likelihood is determined by assessing both the probability of attack and the probability of loss. Likelihood stems from an asset’s importance from an attacker perspective, and value to the adversary, pertinent vulnerabilities, and the effectiveness of security controls. Security Control Validation tools can be used to assess the exposure of business entities deemed to be of high value. Teams can identify the probability of exposure by assets and their vulnerability, and the combination of the asset’s importance and the associated threat and vulnerability score.
• Risk. Risk can then be assessed by factoring in business impacts and the likelihood of a loss event due to an attack. Fundamentally, the higher the value and the higher the likelihood, the higher the risk will be. What’s key is that risk will be defined in a concrete, objective way that can truly guide effective, coordinated actions across the business.

An Aligned Approach to Tracking Risk
For CISOs, aligning with the business will be a critical imperative for the success of their organizations, not to mention their careers. Though many organizations are far from having complete visibility into the value of their technology and IT assets, an effective CRQ process can be built in a way that represents their level of maturity. Through effective CRQ that is customized to the business and its unique goals and IT and security infrastructure, teams can begin to track risk in a way that gets everyone on the same page. Through this shared visibility and unified purpose, teams will be far better equipped to ensure investments and security defenses are optimally aligned with both business and security objectives, and to move the needle on risk in a pragmatic and verifiable manner.

To learn more about how SafeBreach is supporting enterprises’ CRQ initiatives, visit us at www.safebreach.com.