teissTalk: Quantifying cyber risk - how much will a breach cost?

teissTalk host Jenny Radcliffe was joined by Mark E.S. Bernard, Strategic Cybersecurity Advisor & GRC Manager, Bernard Institute for Cybersecurity; Sabino Marquez, CISO & Director of Privacy Operations, Cognota; Joe Evangelisto, Chief Information Security Officer, TANGO; and  Phillip Wylie, Manager, Tech Evangelism & Enablement, CyCognito.

 

Views on news

Organizations need to see more than an absence of successful cyber-attacks to justify spending on personnel and security tools. They also have to be convinced that the spending is supporting business goals.

 

Meanwhile, CISOs should switch their language away from technical discussions around vulnerabilities and focus on quantifying business risk and the issues the board cares about. While info security professionals are concerned with adopting control frameworks, hiring competent employees, complying with legal obligations, etc., the business’s focus is on how to innovate, remain competitive, market capitalisation, agility and the like.

 

The questions business leaders ask in relation to information security is whether they can implement security tools without hindering innovation; how they can become more competitive if their phishing system is blocking out new leads or business opportunities; or, how they can promote knowledge leapfrogging when collaborative tools are restricted by security?

 

As a CISO, you have to find the sweet spot between your priorities and those of the business, as well as understand the economic and financial metrics, how security affects sales velocity or churn rate, etc

 

Quantifying the damage

It’s difficult to assess the damage a certain vulnerability can cause. Sometimes you identify one and play it on the CVE (Common Vulnerabilities and Exposures), which won’t reflect the criticality of that vulnerability accurately as it doesn’t factor in the mitigating controls you may have in place. In industries where security is an integral part of the buying journey, security is strategic to the business.

 

But in many businesses, technology just sits in the corner or people and processes are missing to assess the figures that it spits out. Without consensus on what needs to be protected and why, no technology can deliver.

 Information security leaders should ask their staff questions if they aren’t sure what’s going on, for which their staff will respect them even more.

 

There are hidden impacts of an attack which we often aren’t aware of for a long time after the breach has happened. Business processes are relatively easy to fix after a breach. What may cause more trouble is communicating what’s happened to the external world.

 

The damage caused by a breech is closely linked to its blast radius (has it impacted primary assets? data bases or the data flow?), the type of stakeholders whose data has been breached and the role this data plays in their value creation.

 

The cost of breaches can easily amount to millions of pounds plus the ongoing costs of, for example, losing a deal as a result or the time and resources used to investigate and manage it.