Being a CISO is a tough job and I don’t think anyone would argue that statement. CISOs must deal with a wide array of challenges. They are handed the unenviable task of securing expansive technology infrastructures. They are given increased responsibility, such as taking on the business continuity and resiliency programs. They deal with emerging issues – like the EU General Data Protection Regulation (GDPR) or the regulation du jour. Let’s not forget the constant pressure of the changing threat landscape and the general swirl of business.
Now, there is another challenge being added to the mix. CISOs are increasingly being asked to rationalize investments in security technology. They are also being asked to define what it means to transfer security risk, namely in terms of cyber insurance. Most often, cybersecurity is treated as a technical concern, and important business questions such as "are we doing enough?" and "are we spending too much or too little?" get unsatisfactory responses, if any. For IT and security teams to adequately communicate cyber risk to the business, the business must understand the risk in the context of the business. Translating technical risks into monetary terms is a key step towards addressing these emerging challenges for CISOs.
Quantifying risk is an evolving capability within risk and security management. Many organizations have moved from red/yellow/green risk scales to more quantitative models such as scoring systems. Graduating to a monetary based quantification approach unlocks a much broader capability. Whether calculating potential losses for cyber insurance efforts or prioritizing investments based their relative reduction of the financial impacts of a security breach, quantifying cyber risk adds an exciting, and much needed, dimension to the CISOs vocabulary.
# # #