Introduction
For years, companies have relied on qualitative methods, if any, to measure cybersecurity risk within their organizations. These methods often involved subjective red, yellow, and green 5×5 matrices or semi-quantitative ranges like 1-5. While these tools provided a basic framework, they often left executive leadership with more questions than answers. This was particularly problematic since CEOs and board members typically had limited understanding of cybersecurity terminology and the controls implemented to protect their assets and sensitive information.
Growing Accountability in Cybersecurity
In recent years, accountability in cybersecurity has sharply increased.
Gartner’s Prediction: In September 2020, Decipher cited Gartner, stating, “By 2024, as many as 75% of CEOs could be held liable for data breaches if it is found that the incidents occurred because the organization did not focus on cybersecurity or invest sufficiently in cybersecurity.”
High-Profile Cases:
- Uber’s Chief Security Officer: Charged for Covering Up Hack: In 2020, Joseph Sullivan, the Chief Security Officer of Uber, was criminally charged due to the actions he took following a data breach. This case underscored the potential personal liability that security officers can face in the wake of cybersecurity incidents.
- Drizly and the FTC: Ignoring Warning Signs: In October of 2022, the Federal Trade Commission (FTC) took action against Boston-based Drizly, a subsidiary of Uber, and its CEO James Cory Rellas. The action was due to Rellas’ neglect in responding to prior warning signs, which eventually led to a breach exposing 2.5 million consumer records. This incident highlighted the consequences of ignoring cybersecurity risks.
- SolarWinds: Misleading Investors: In November of 2021, SolarWinds and its CISO, Timothy Brown, were charged with misleading investors following a major cyber incident. This case demonstrated the serious implications of not being transparent with stakeholders about cybersecurity vulnerabilities.
The Need for Quantifying Cybersecurity Risk
These incidents highlight the critical need for quantifying cybersecurity risk. CEOs and boards are becoming more cybersecurity savvy and expect concrete data to make informed decisions.
SEC’s Proposed Rule (March 2022): Requires public companies to disclose whether their boards include members with cybersecurity expertise.
Shifting Expectations
No longer will executive leadership accept vague PowerPoints with pretty red, yellow, and green boxes or technical CISOs lacking business acumen. They will expect to hear things like, “we can reduce the impact to the organization by $230,000 annually if we implement control X costing $90,000.” Or “Y nation-state group is currently targeting Z vulnerability in our industry potentially leading to an organizational impact of $20 million. We can reduce the risk by 80% by mitigating the vulnerability within our systems for $300,000 annually.”
Quantifying Risk: The Way Forward
To meet these expectations, organizations need to adopt rigorous methods for understanding and communicating cybersecurity risk.
- Understand the threat landscape within your organization by defining loss probabilities to include upper and lower bound estimations.
- Perform likelihood and impact calculations using Monte Carlo simulations.
- Become educated on a method that has been around since the early 2000s, Factor Analysis of Information Risk developed by Jack Jones.
Valuable Resources: Several publications can help understand the global threat landscape and cost of data breaches by industry, such as: the Verizon Data Breach Investigation Report (DBIR) and the IBM-sponsored Ponemon Institute’s ‘Cost of a Data Breach’ report. Monitor threat intelligence feeds and other publications for regulatory fines delivered or overall breach recovery costs.
Conclusion
To be an effective CISO in 2024 and beyond, a CISO must possess a deep understanding of policies and standards, incident response, recovery point/time objectives (RPO, RTO), security architecture, tools, and technologies. They must also learn the language of the C-Suite, in order to effectively communicate risk in the way of what the businesses care about most, public and personnel safety, financial stability and profitability. This shift from qualitative to quantitative risk measurement is essential for making informed decisions and protecting organizational assets in an increasingly digital world.