How to Quantify Cyber Risk in Financial Terms
Businesses now largely understand that cyber risk is a business risk, says Clar Rosso, CEO of (ISC)2, a nonprofit security training and certification organization. “It’s evolving to a point where boards and C-suites understand that to successfully manage risk in their businesses, they need to think about information security risk as much as they think about financial risk,” Rosso says.
But that raises questions about how much cyber risk, exactly, businesses should take in different situations. Although the news is replete with stories of organizations losing millions of dollars due to data breaches — in ransoms paid to criminals, lost business, reputational damage and more — putting an accurate dollar figure on the level of risk has been elusive.
“We’re seeing tight budgets and people scrutinizing where to make investments,” says Buck Bell, head of CDW’s global security strategy office. “They’re looking for guidance by which to evaluate the financial impacts of the risks they face.”
Past efforts in this area have been dry holes — to the point, Bell says, that some organizations believe attempts to accurately quantify cyber risk is a fool’s errand. CDW, though, has recently developed a tool that does just that, he says.
The Security Program Assessment and Risk Quantification tool calculates risk by combining cybersecurity insurance data with well-established security best-practice protocols, such as the one developed by the National Institute of Standards and Technology. “This is real, no-joke actual insurance claims data, not some theoretical modeling that may or may not be true that tries to value data with a series of abstractions,” Bell says. “Taking this approach is a much faster, more accurate way of providing that risk quantification. What’s the maturity of the security controls, and what’s the potential for loss, based on insurance data? Then it comes up with a dollar figure.”
Once businesses understand how much cyber risk they have and where it is, they can make better decisions about how to insure against and mitigate those risks. “They can start turning dials to see how they can manage that risk while getting the most bang for their buck,” he says. “That’s wildly super powerful.”
RELATED: Get answers on a range of security topics that businesses confront today.
AI Is Forcing a Re-Evaluation of Data Protection and Governance
AI is changing the way businesses think about protecting their data. Cybersecurity professionals, for example, told (ISC)2 in a recent survey that while they’re excited about how AI tools might help them work more efficiently, especially when it comes to automating repetitive tasks, more of them think the technology will be of greater benefit to criminals than to their business, according to Rosso.
Indeed, says Bell, “folks are interested in the benefits of AI but they’re also hyper-concerned that without appropriate data classification and data governance that they could expose sensitive data via a large language model.”
In an AI-powered world, organizations will have to be more diligent than ever about understanding how their data is being governed and secured and who is authorized to gain access to it. CDW’s Mastering Operational AI Transformation, which is an executive consulting engagement that helps organizations effectively introduce AI concepts across the enterprise, includes a security component that focuses on data governance and access control, Bell said.
Click the banner below to get real-time updates on all things tech.