How Cybersecurity Financial Quantification Helps CISOs Make Their Case to the Board

More enterprise business leaders are beginning to understand that cybersecurity risk equates to business risk—and getting a clearer sense of the impact that cyber exposures can have on the bottom line. Consider the MGM Resorts and Clorox Company cybersecurity incidents that occurred last year. Both suffered considerable attacks, reportedly led by the Scattered Spider cybercriminal group, causing widespread business disruption and substantial financial losses. For Clorox, that loss included operational disruptions and a projected sales decrease. For MGM, the attack halted the operations of certain casino and hotel computer systems. That cost the company about $100 million in revenue.

These incidents can often act as conversation starters for CISOs seeking to influence their board members while they're eager to listen.

However, security leaders have got to be ready to direct the conversation in a manner that resonates with directors. They need storytelling skills to transform abstract risks into tangible scenarios. As a longtime security veteran, I've seen and heard about way too many CISO peers blowing these kinds of opportunities by presenting irrelevant facts and failing to link cybersecurity action (or inaction) to real financial outcomes. Too often, CISO board presentations are filled with technical jargon that's focused on technical outcomes. Or, the CISO tries to fill their lack of actual quantified cybersecurity business risk data with cybersecurity financial fluffery.

The reality is that board members don't care about the technical details or technical outcomes. They really don't. They don't care about the facts regarding exploits and vulnerabilities. What they care about is what happens to the business when those technical outcomes play out.

Cybersecurity financial quantification can help make those connections. It is all about effectively communicating what happens to the business when cybersecurity goes wrong. Cybersecurity financial quantification helps CISOs bridge the gap between cyber breaches, technical vulnerabilities, and the business impact board leaders care about. But it's got to be done the right way, because boards of directors are some of the most astute leaders around and they will smell poor cybersecurity financial arguments a mile away.

What is cybersecurity financial quantification and why is it critical?

Business-oriented cyber risk metrics like security ratings essentially take exposure management metrics and use them to translate cybersecurity-related technical risks into business risk measurements. This improves risk-related business decisions by fueling the decision-making process with more comprehensive information. Ideally, security leaders can tap into cyber financial quantification as a dimension of the risk measures. Cyber financial quantification capabilities quickly and easily assess their potential financial exposure based on the metrics that track technical exposures. This mathematical analysis can spur conversations between the CISO and board that firmly tie proposed cyber strategy to business outcomes.

While financial risk quantification may not identify items that will tangibly change earnings or profits, it can certainly help CISOs model to the board how bad things can become following cyber incidents in language that the board understands. This, in turn, increases the chances the CISO can successfully obtain the resources needed to improve cyber risk management. After all, poor outcomes are a symptom of business-technology systems not being appropriately managed. With the board understanding the real-world business impact of these risks, it becomes more likely that they'll provide the correct resources to put the proper defenses in place and improve governance practices.

So, the primary benefit of financial risk quantification for CISOs is not only helping them make the case for budget and staff, but also driving a strategy that tracks to business goals. Before a CISO even starts their conversation with the board, they can use financial risk quantification as a data-backed gut check that they're focused on protecting the assets and digital processes that are most valuable to the business.

With that in mind, let's get to how to put cybersecurity financial quantification to work.

How to use cybersecurity financial quantification with the board

Most CISOs likely assume it makes the most sense to begin their financial risk quantification discussion directly with the board. However, for most CISOs, going straight to the board of directors is not the optimal way forward. For several reasons, it's better to start with the chief financial officer (CFO) or the chief risk officer (CRO) first.

The CFO and the CRO specialize in risk management and financial oversight within an organization. Their insights will help ensure the board hears a financially savvy presentation on cyber risks, not one weighted heavily toward technical risks and outcomes.

By involving the CFO and CRO early in the cybersecurity risk quantification process, the CISO will be better armed to discuss how cybersecurity risk quantification aligns with the organization's comprehensive risk management strategy. Not only can these leaders provide insight into financial risk matters that the CISO might not have, but they can be hugely influential allies in making the case to the board later on. They'll have access to data resources and political clout the CISO doesn't and they're better versed in the financial language the board understands.

The key to success is arming the CFO and CRO with the proper cybersecurity quantified data—data that will be used to model the financial exposure created by cybersecurity events accurately and analyze their impact. This should include collecting data based on indicators of activities or states of the technology stack that indicate cybersecurity maturity, including:

• Hardware
• Software
• Patch coverage
• Timing
• Software version levels
• Defenses employed
• Information about the nature of the organization, such as its size, location, industry, and more

How does such data help make smarter risk decisions? It works much in the same way as auto insurance works. When the auto insurance company gauges the risk associated with the driver, they gather data about the driver, such as their speed relative to the legal speed limit, their braking style, their seatbelt use, and more. Insurers can collect such data and then calculate the probability that the driver may get into a costly car accident. When quantifying cybersecurity maturity in an enterprise, such data about the organization's cybersecurity program and technology stack can be used similarly.

What about quantifying the impact magnitude of a breach or cybersecurity incident? Here, the answer also comes from auto insurance. The car accident itself represents the magnitude of a cybersecurity breach. The magnitude of a severe data breach, just like the likely magnitude of a serious car accident, is reasonably straightforward to quantify. Insurers know how costly bad car accidents can be.

When it comes to cybersecurity breaches, there currently exist large data sets that describe historical data breaches. These databases can be compared with the losses that have occurred previously in similar companies and security profiles. This can be used to craft very accurate estimates in different categories of loss scenarios.

Such accurate models will help the board better understand what's at stake for the organization when facing cybersecurity risks and help the CISO better fight for the resources necessary to mitigate risk to an acceptable level. Additionally, through such models, the CISO will be able to compare the maturity of their program with their peers.

Undoubtedly, the most significant benefit to cybersecurity financial quantification is the power it provides to help persuade the board. When CISOs lead with technical jargon, people simply tune out. That's also true of board members. And when CISOs try to play fast and loose with their financial quantification reporting and presentation, the board will spot that right away.

CISOs who will win their battles for resources in the years ahead will be those who neither lead with technical security jargon nor poorly crafted financial cases—it will be those who lead with solid financial arguments based on realistic risk models and data.