February 6, 2023
As an information security leader, you’re probably well aware of the cybersecurity risks your organization faces. But presenting that cyber risk management data to your board of directors is a whole other matter.
Metrics that make sense to you could easily sound like a foreign language to board members. Even if they understand issues like what your IT infrastructure looks like, that’s generally not enough to satisfy boards’ concerns surrounding risk.
What directors really want is to be able to translate cybersecurity data into actionable business insights and to understand how cyber incidents can impact the business. Now, more than ever, data-driven cyber risk quantification can empower directors to make informed decisions about how to address, mitigate, and transfer these risks.
“A good way to convey a message is based on risk. Especially when you are able to quantify that risk, then you bring the discussion into the realm of something they know,” noted Philippe Vuilleumier, Chief Security Officer at telecom company Swisscom, in a previous Kovrr article. Vuilleumier is also an advisory board member for Kovrr.
So, while the exact cybersecurity metrics you report to your board can vary among organizations, the overall goal should be to choose data that helps directors understand what cybersecurity risk management means in financial and business terms.
Some cybersecurity risk management metrics to consider include the following:
(The names of some metrics may differ among users, but the essence generally remains the same.)
One of the most important cybersecurity metrics to report to your board is your financial exposure to cyber events. In other words, if you suffered from a ransomware attack, data breach, or another type of cybersecurity incident, what would your expected losses be?
Using cyber risk quantification tools like Kovrr’s Quantum platform can help you generate high, low, and average estimates of financial exposure to cyber events. Users can also simulate individual events as well as understand exposures of new projects or technologies being pursued by the company.. By using financial quantification platforms to break down estimated losses by specific business units, geographies or any other asset group within an organization, security and risk teams can better isolate their cyber risk for mitigation and management purposes.
Understanding your loss exposure through cyber risk quantification also means that you can report on cyber investment ROI.
Suppose you want to invest $500,000 in a new cloud security tool, after reaching the conclusion that cloud security is a major risk for your company. Perhaps $500,000 is considered to be an expensive tool for your organization and would result in pushback when requesting a budget. Through Quantum, you can calculate how much this investment would decrease your loss exposure. A $1 million annual decrease in financial exposure essentially means you’ve doubled your investment and your ROI is 100%. Comparing the costs of investments to the decrease in risk in monetary terms allows for comparing "apples to apples" and therefore an easier process to justify the investment.
Plus, you can report multi-year ROI based on non-recurring expenses, such as if adding an upfront hardware expense leads to reduced financial exposure for the next few years.
On the flip side, you can report cases where cyber investments haven’t panned out, which might indicate a need to shift budget to other cyber risk management approaches.
Part of calculating your financial exposure to cyber events means looking at what would happen if you experience events like a third-party service provider failure. But it’s worth considering third-party cyber risk quantification as its own metric, as your board will likely want to get a better understanding of your supply chain risks.
For example, if certain vendors introduce more cyber risk than others, that could influence where your next contracts go. Understanding things like the probability of third-party cyber events can also help directors and other leaders weigh decisions like outsourcing vs. handling processes internally.
Kovrr has made significant updates to Quantum to help better quantify third-party cyber risk, with features like breaking down third-party vs. first-party risk and calculating the probability of experiencing third-party cyber events.
In addition to covering financial exposure to cyber events, which tells you what the severity could be, boards can also benefit from getting reports on the overall expected likelihood of cyber events.
Based on aggregated data such as from cyber insurance claims and your organization’s own security controls and processes, Quantum can help benchmark the likelihood of cyber events, including the probability of different event types compared to others in your industry.
If your board knows that you have a high probability of experiencing multiple cyber events per year, that can make your board more inclined to allocate resources effectively to mitigate potential threats and evaluate the effectiveness of current security measures and make improvements where necessary.
Lastly, CISOs can report to boards on cyber insurance issues, such as the probability of exceeding your coverage. If a high loss scenario is significantly more than your cyber insurance policy limits, then boards likely want to understand how much your company could be on the hook for.
You can also report benchmarking data regarding how your insurance terms and conditions stack up against peers. That way, boards can get a better understanding of how much risk the organization is assuming vs. transferring that risk to an insurer. Or, your company might look for ways to mitigate excess risk, rather than renegotiating insurance terms.
The true benefit of cyber risk quantification is changing the conversation from discussing arbitrary risk metrics to metrics that can be measured by the organization. By understanding and prioritizing risks that can affect the balance sheet, stakeholders can make data driven decisions surrounding risk management and mitigation. Approaching cyber risk in the same manner that other operational risks are approached puts all stakeholders on the same page when discussing risk appetite, tolerance and strategic company decisions.
Book a demo today to see how we can help you improve your reporting to the board.
March 13, 2023
CRQ enables GRC teams to understand better their cybersecurity posture and communicate cyber risk more effectively to stakeholders
March 2, 2023
Recent insights on breaches, vulnerabilities report and fraud losses for U.S citizens