Moodle ISO Harnesses CRQ to Translate Cyber Risk Into Business Terms
Moodle is a global organization providing an open-source, multilingual learning management system (LMS) for educational institutions. Developed by Moodle HQ more than 20 years ago, it's now the world's most widely sourced learning platform, utilized by hundreds of millions of learners, educators, and administrators. The company retains access to millions of data records holding highly privileged information.
Moodle’s Cyber Risk Quantification Journey, Part 1
The Problem
Chris DeNoia is the Information Security Officer (ISO) at Moodle, heading the cybersecurity team. He reports directly to the Head of Services and has frequent discussions with the executive leadership regarding the organization's cyber risk posture and broader cyber risk landscape.
Over the past few years, both within Moodle and the global market, the role of the information security officer has evolved from one that is strictly focused on developing and implementing security measures to one that now primarily involves high-level operational risk counseling. However, due to its intrinsically technical nature, cybersecurity is not always easily comprehended by the key stakeholders who are tasked with safeguarding the organization's bottom line.
Executive-Level Communication Obstacles
"Cyber risk can be very abstruse; it can suffer from subjectivity and therefore be challenging to understand."
Because of this esoteric quality, board members and C-suite executives face challenges when developing a fiscal plan, lacking data they typically have access to in other areas necessary for developing risk appetite and tolerance levels that accurately reflect the company’s risk environment. Consequently, Chris's main obstacle is being able to translate the organization's cyber risk into terms more tangible to the executives.
Data-Drive Resource Allocation Barriers
Additionally, like all department leaders facing a finite budget, the Moodle ISO requires targeted, more precise insights that will enable him to allocate resources to the most vulnerable business areas while ensuring cost-effectiveness. This data-driven prioritization will equip Chris to develop a cybersecurity plan that could simultaneously keep the organization resilient while optimizing the limited budget.
The Solution
Kovrr's cyber risk quantification (CRQ) solution is being leveraged by Chris and the cybersecurity team at Moodle to map the organization's various asset groups. The platform also provides the Moodle team with the ability to account for the third-party service providers they work with and the multiple endpoints used by employees, all crucial components for an accurate risk assessment.
The initial high-level overview offers Moodle strategic, quantified metrics regarding its cyber risk landscape. It translates obscure technical terms into a language acquiescent to the board and C-suite members. Kovrr’s CRQ platform also provides Chris and the team with tailored information regarding the types of cyber events Moodle was most likely to experience, along with their respective costs.
Detailed insights into Kovrr's data sources, data gathering and filtering processes, and the way this information is subsequently fed into the model were similarly provided by Kovrr's modeling team. Kovrr also offered Chris’s team a deeper view into the quantification methodology, highlighting the initial evaluation of cyber risk trends within the relevant industry and subsequently narrowing assessed data points down according to more specific technographics, such as revenue size and geographic location.
These personalized results will help the Moodle ISO support the organization's strategies in subsequent board meetings.
The Outcome
The event likelihood and respective forecasted financial losses provide substantive analysis and support the communications between Chris and senior leadership. These metrics help to inform high-level strategic decisions, allowing relevant parties to allocate limited resources in a manner that would ensure cyber resiliency.
Moreover, Kovrr's CRQ platform will allow Chris and the Moodle cybersecurity team to bring a more accurate, data-driven understanding to the board about the specific cyber risks the organization faces, leading to more practicable risk appetite and tolerance levels.
“With CRQ, we can] align the organization's realities of operation to the board of directors and then ensure those functions are operating within those boundaries."
One of the key barriers many information security officers face across industries is bridging the gap between cyber initiatives and broader organizational goals. However, by transforming the more technical aspects of cyber risk into terms more familiar to the boardroom, Kovrr ensures relevant stakeholders have a tangible, realistic idea of the investment levels required to keep the company cyber resilient.
The Next Steps
Moodle is only at the beginning of the CRQ journey with Kovrr, primarily running quantifications for a high-level, holistic perspective of the global organization. Although they've already started seeing value in the short few months they've been working with the platform, Chris has plans to scale the solution significantly.
The Moodle team will utilize asset groups and Kovrr's unique CRQ methodology to a greater extent to gain more granular insights into the organization's various business units. The more they drill down to the finer details, the more equipped they'll be to justify spending decisions and allocate a limited budget in a way that optimizes resources while driving the overall business mission.
Stay tuned for Part 2!
