Safe Security’s Saket Modi discusses the value of quantifying cybersecurity and why putting a financial figure on the risk can drive a better response.
The C-suite conversation around cybersecurity has shifted. While it was previously the case that CISOs and other security heads tried to convince senior executives of the importance of investing in cybersecurity, a steady stream of serious breaches has firmly changed this.
The last few years have seen some monumentally expensive breaches, with the Advanced Info Service hack, for example, being estimated to cost as much as $58bn to fully remediate. Last year’s Comcast breach is estimated to have topped $10bn in losses and recovery costs.
Aside from these high-profile outliers, the average breach is now an increasingly expensive burden for organisations to bear. The IBM Cost of a Data Breach Report 2021 puts the average cost at $4.24m, up from $3.86m the year before.
The business world has responded to this clear threat by ramping up its security spending, and it’s estimated that investments will cumulatively hit around $1.75trn between 2021 and 2025 according to Cybersecurity Ventures.
The security conversation now centres on the most effective way to mitigate the chances of an incident before it even happens. But choosing the right security solutions and strategies to proactively measure, manage and mitigate risk is no small task, with each organisation having its own unique needs and priorities and a myriad of options to pick from.
The challenges in communicating risk today
The security industry has historically struggled when it comes to proving its business value in easily understandable, financial terms. While the ROI of other IT investments such as cloud migration can be easily quantified by metrics such as increased productivity, the reactive function of cybersecurity has proven more difficult to capture and translate. As such, conversations surrounding cyberthreats have tended to be vague and easily bogged down by technical jargons that lack a business context.
Security leaders need to speak to the board in a language they can relate to, focusing on business outputs and ROI, based on solid metrics backed by sound data science principles. One of the best ways to achieve this is to adopt proactive cyber risk quantification.
This is a model that creates a tangible risk value for every asset in the organisation, drawn from multiple data points across people, processes, technology, cybersecurity products and third parties in real time.
These risk values can then be translated into a direct monetary value that speaks very clearly to the board and other stakeholders in their own language. What financial risk do businesses face as a result of their cyber risk posture?
The need for real security metrics
Attempts to measure risk are often stymied by the need to collate and integrate data points from multiple disparate security tools and relate them to business decision-makers. Cyber risk quantification takes all of these data streams and combines them into one powerful, easily understood metric.
As this threat level can also be converted into a financial value, it can demonstrate both the current potential financial loss that cybersecurity risks represent and the reduction of cost that cybersecurity investments can deliver.
These metrics can be explored at a highly granular level, zeroing in on the financial impact of vulnerabilities in specific applications, devices and cloud instances.
This granular view can even extend down to individual users or outwardly to third-party connections. The benefit is that this view immediately allows decision makers to prioritise mitigation strategies – accept the risk, manage it through cybersecurity initiatives, or transfer it via cyber insurance.
The problem with bloated security stacks
The insights provided by the cyber risk quantification model can help organisations make more informed decisions about which security tools to invest in, particularly given that the default reaction to emerging threats tends to be to purchase more products. More investment does not equal better security.
In fact, security stacks tend to become very bloated and inefficient, often with many underused or redundant products. It is estimated that the average small business now uses up to 20 different security tools, while their larger counterparts are likely to have more than 130.
Bloated security stacks are not only an inefficient use of the allocated budget, but also tend to be difficult to manage. Unless there is effective centralisation and automation in place, security teams will spend much of their time flitting between different dashboards and being inundated with security alerts that provide little context or actionable insight.
Organisations should streamline their stacks to a single unified view to remove silos and overlaps, focusing on the solutions that will provide the clearest value by reducing risk exposure.
Introducing a universal language for threat data
To be truly effective, an approach based on cyber risk quantification needs to draw on data from every element of the business, as well as contextualising it against factors such as the organisation’s size, structure, location and sector.
All of this data should also be compared to real-time threat intelligence that reflects the cyber landscape outside of the organisation.
Businesses that are looking out for a proactive approach to cybersecurity need not lose hope with the checklist of actions to perform. They are well on their way to predicting their next data breach if they are collecting signals across people, processes, technology and third parties.
Now, they need to start analysing these signals in an objective and contextual manner through sound data science-based principles and use any inferences to measure their risk. Once risk is quantified, it is easier to plan strategies that manage and mitigate it.
By Saket Modi
Saket Modi is the CEO and co-founder of cybersecurity company Safe Security.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.