December 18, 2023
During my first few years as a CISO at Avid Technology, I was able to install a robust cybersecurity program. (Avid is a software provider that equips digital content creators with innovative tools.) With the help of my security team, Avid had become more mature in their control measures. This maturity meant we were better armed to address cyber vulnerabilities.
Unfortunately, on top of my regular duties, I also had to face an even greater challenge. I needed to communicate with a room full of people who lacked cybersecurity expertise. This obstacle included explaining my team's accomplishments and justifying future initiatives. Despite my best efforts discussed in Part 1, we could not reach a mutual understanding.
Still, even after facing one setback after another, I refused to give up. In the end, this perseverance led me to discover an analytical risk solution. This innovative tool enabled me to translate technical jargon into financial impact. And, if there's one language the executive team understands, it's finance.
This communication problem was not unique to Avid's security team and boardroom. Enterprises spanning many industries face this obstacle. It's hard to bridge the gap between cybersecurity goals and overarching business objectives. The issue is that no one is trained to measure cyber risk in objective numbers. Neither the board, executives, nor my security could do so.
The situation thus becomes a slow-burning conflict. The security team does not have the vocabulary to describe their cybersecurity programs. Likewise, those who approved the budget didn't have the training to understand. They didn't know how to ask the questions that would clarify the ROI of security initiatives.
I had established existing frameworks to help mitigate this issue. Nonetheless, the boardroom knew they were not receiving objective, measurable cyber poster evaluations. Fed up with the continuous struggle, I concluded it was time to think outside the box. Which untapped market solutions have I yet to consider?
Creative thinking demands going back to the basics and considering the underlying goal. At the core, my team and I needed to translate cyber risk and initiatives from intangible, subjective technical terms to monetary value. We knew that we had to shift the discussion to money. But we still didn't know how to do that.
Serendipitously, it was at this point that relevant industry studies started to emerge. IBM released its annual Cost of Data Breach Study, and Verizon published its Data Breach Investigations Report. These yearly reviews evaluate hundreds of global organizations and reveal quantitative insights into the prevalence of different types of cyber events across various industries and the financial impact these events had.
Moreover, they offer benchmarks against which similar organizations can compare themselves to understand their potential cybersecurity financial risks better. The comparison points give CISOs like me objective numbers to bring to boardroom members to justify risk mitigation expenditure.
For instance, if the IBM report found that malicious attacks occurred most in Germany, German corporations might prioritize investment against data breaches caused by malicious actors. Essentially, German CISOs could use the IBM report as objective proof that their hard work served to safeguard the company’s ROI.
Although I was initially enthused by what these industry assessments offered, a closer examination revealed the research's limitations. The financial figures offer a bird's-eye picture of a cyber event's impact but fail to break it down more granularly.
The cost of a cyber event is made up of several components. These components can include, among others, the cost of the incident responses, retainers, security providers, equipment recovery, and productivity losses. The large-scale cyber event studies aggregated all those aspects into a single value, rendering the conclusions valuable but very broad.
With these reports, companies like Avid are left with a sizable financial value used to describe the impact of an infinite number of scenario combinations. In other words, we had access to the final result of a cyber event or data breach. However, we still couldn't develop detailed, prioritized strategies aimed at addressing the most vulnerable cyber aspects.
Still, some financially quantified data is better than none, and so I used these numbers to attempt to paint a picture for the executives. I combined the IBM figures with public company information (i.e., the impact on respective stock prices following a cyber incident) to generate a more holistic view of the monetary ramifications. Armed with my new insights, I walked bravely into the boardroom.
Aware that the reported numbers were an aggregated average, I tried to stay conservative when illuminating the financial impact of a cyber event. Nonetheless, my calculations amounted to millions of dollars in potential loss, and the boardroom didn't want to believe it. Even when presented with real-world data, they remained skeptical.
I was extremely disheartened. I had found the numbers, but they still weren't good enough.
To be fair, I fully grasped why the higher-level management and board executives had dismissed my first financially quantified case. The numbers were too generic, gathered from an all-inclusive data pool averaged across multiple industries. In spite of my disappointment, I remained undeterred and resolved to find a solution that equipped my team and me with more specific information.
Back at the drawing board, I began researching risk analysis options that could solve my pressing issue. After experiencing many setbacks, I was skeptical when I first came across Kovrr's financial cyber risk quantification solution. Nonetheless, I signed up for a free demo and soon after met with Yakir Golan, CEO and Co-founder of the CRQ solution provider.
What struck me right away was Yakir's disclosure that Kovrr used real data from insurance claims. Yakir told me that, due to its unique history of serving insurance companies in its early stages, Kovrr has access to genuine cybersecurity insurance claims submitted by enterprises that had suffered financial loss from both small and large-scale cyber incidents.
Kovrr’s access to the insurance claims me for two primary reasons, the first being that the numbers were authentic. They represented actual loss amounts for specifically defined events, as opposed to potential loss. The second was my sudden understanding that boardroom members, well-versed in business insurance, would understand these numbers clearly and accept them as objective.
Insurance industry claims come as close as one can get to the realistic numbers of the cost of a data breach. After only one conversation with Kovrr, I had already discovered two of the highly unique benefits of this CRQ model. First, I understood Kovrr's data will be much more specific. Second, I knew the management would understand the assessment because insurance is not a novel concept for them.
On top of offering more specific, non-biased data that the IBM report and other broad studies lacked, insurance claims also demonstrate a company's cybersecurity posture in relation to the financial loss they ultimately suffered. Simply put, Kovrr had the capability to compare an organization's reported cybersecurity control measures and determine how those measures affected the financial ramifications.
Leveraging that highly valuable information, Kovrr's models can assess what type of losses Avid, or any other enterprise, should expect to suffer given their respective control levels. Moreover, it can project how much that same enterprise stands to save after switching to a higher level, allowing any CISO to justify security mitigation action plans in financial terms.
After fully comprehending what Kovrr's financial cyber risk quantification platform was capable of, I knew that this was the solution his team had required since the beginning. While no CRQ can predict the future with absolute certainty, a concept discussed further in Part 3, Kovrr was going to give my team the ability to get really close.
With this understanding, I was ready to run the numbers and finally get a customized risk assessment tailored to Avid's specific industry position and cyber posture.
If you're interested in listening to the rest of my story rather than reading it, check out the webinar!=
To learn more about how Kovrr models are adaptable to an organization's ever-evolving cyber landscape, schedule a free demo today.
February 15, 2024
Combining traditional cyber risk methods with CRQ turns ambiguity into actionable data for CISOs, driving informed decision-making.
February 12, 2024
Risk Progression feature empowers CISOs and CRQ users to inspect and understand the changes in their cyber risk over time.