Given the media attention to recent attacks, the growing role of nation states, and the vulnerabilities of our nation’s critical infrastructure, cybersecurity is moving from a sometimes-overlooked subsector of technology to a critical business function. Organizations not only need to take cybersecurity seriously, its effectiveness in managing cyber risk plays a direct role in its profitability. Invest too little, and incidents happen. Invest too much, and profitability evaporates.
The cybersecurity industry was born from technology experts realizing the complexity and risk of the infrastructure they deploy – technical people deriving technical solutions to the challenges of protecting the confidentiality, integrity, and availability of the organization’s data. Security experts were often the odd ones, left to their own devices even among technologists. However, as digital transformation has crept into most every facet of business within most every industry, so too has the risk these odd ones have discovered and understood.
Executives are no longer able to feign ignorance or simply “write checks” to ensure their cyber risk is managed effectively; an organization’s leadership has to understand the economics of the investments they are making. Cyber risk is business risk.
I have had the fortune of being “in the room” with several vaunted business leaders, Don Graham being one, Mark Zuckerberg being another. As my career has progressed, I have learned from others to prepare these executives to make effective decisions – how to define and communicate important information, how to position information to effectively educate and inform senior leadership. I have also been on the receiving end of their inquisitions – having to dig deeper for more data, more insights to feed their process. And more times than I care to admit, I have learned that I need to be more clear in communicating my logic.
Through these experiences I have learned the calculus for what goes into an effective decision. No matter the context, the underlying equation is always the same, whether it was Mark pushing us to ensure our application was fast and responsive enough to meet the expectations of the Facebook community, or Don allowing his skunkworks engineering team to use The Washington Post brand for its experimental news reading application. Does the potential return outweigh the risk?
So what drives business risk? Smart, effective leaders examine decisions based on economics: which option leads to more marginal benefit given marginal cost? Executives engage in daily decisions using this calculus, some large and most small. Ideally well informed data is used to understand cost and benefit, some in absolute terms with a high degree of certainty. Others, however, are defined using estimates with varying degrees of certainty. Once the variables are defined, the calculus is considered and the decision is made. Business risk, therefore, is defined as the uncertainty that is carried within the variables as defined. In effect, business risk is the probability that the estimates and calculations hold true in reality.
Security decisions follow this same formula. The intent of a security program is to manage risk. Certainty in security is a myth. And like all business decisions, the calculus is the same: does the marginal benefit of reducing risk outweigh the marginal cost of the investment? What is the probability that I will gain more than I might lose? The better the probability, the safer the decision. Doing something is certainly better than nothing, but how much is enough? And how effective are the investments I am making? In each case, the more effective one is able to inform this calculus, the more confidence that is engendered in the decision.
In business, confidence in decisions has led to a rise in the concept of data-driven decision-making. Data-driven decision-making goes beyond a basic Tableau installation; it is supported by a system of people, process and technology designed to pull information from data to inform decision-making. For mature organizations, data has been deeply woven into the decision-making process, underlying all key investments and driving accountability throughout the organization. For security, however, this maturation has been stunted due to limited or constrained use of data and an incomplete calculus.
A basic understanding of an organization’s security program begins with an assessment, what is currently a laborious process often involving a bevy of consultants. From there, decisions are made by well-informed practitioners, working from experience and their gut sense. Despite the amount of data proffered from cyber systems, little quantitative information is brought to bear.
Many security vendors occupy the space with protective technologies that address one or more domains of cyber risk. Their products are often policy driven, built on a set of binary configurations that either permit or prevent actions. Though effective in their domain, little heed is given to understanding the interplay each of these components have on the overall risk posture of the organization, even for the most mature of environments. Worse, as data is applied to derive understanding, security leaders use key performance indicators (KPIs) that are at odds with the calculus for how business decisions are made. Quantifying how many attacks were stopped or how many new vulnerabilities have been identified or mitigated are abstract litmus tests to understand the environment; neither of those metrics relate to the business. Firewalls, monitoring, and other protective measures are table stakes to understand your cyber environment, and yet the effectiveness of your security program should be measured by the calculus described above: what impact do these activities have on revenue and cost?
Effective data-driven decision-making has not yet been brought to bear to adequately and effectively inform cyber risk investment decisions. The business case for increasing investment is hard to make, so cyber risk programs drift under-resourced until incidents, regulation, or other catalysts drive behavior. More immature organizations are simply trying to plug the dam with the tools they have. In other (rare) cases, some cyber risk management programs are over-resourced, engaging every tool available to stave off potential incidents.
Opportunity in Cyber Data Exhaust
One of the more elegant aspects of cyber systems is the data exhaust they provide – vast, rich amounts of data upon which new ideas can emerge. For the security realm, a new method of measuring risk is needed – one that effectively calibrates risk against financial impact. Risk assessment should be a data-driven, continuous process driven by software. Visibility should exist across the cyber stack, from configuration to technologies to the threat environment, providing an informed, aggregate view of risk in how the cyber environment is effective in reducing overall exposure to the threat environment. As this uncertainty is reduced and its potential impact understood, security leaders can then make more effective decisions as to where and where not to invest. This visibility will better equip security leaders to effectively communicate to the C-suite and Board. And security investments are measured not by effect, but by impact on the business.
Are you effectively measuring risk? What is the marginal benefit gained by additional spend? Are you making the right investments to mitigate your risk?
At Grayline, I’m working to help organizations up their game towards effectively managing risk, by defining that proper balance between spend versus risk. Each organization is different, but the fundamentals remain the same.