As cybersecurity programs become more integrated into enterprise risk management (ERM) programs, security professionals grapple with new issues. Rather than relying on fear, uncertainty and doubt (FUD) to fuel their business case for budget increases, cybersecurity leaders are striving to quantify the business impact and probability of cybersecurity events while evaluating new options, including cyber insurance policies, and looking for new ways to address growing challenges, such as third-party risk management.
That’s the theme of a comprehensive CSO Online article that features insights from leading security executives and other experts, including Santa Fe Group Senior Director Mike Jordan. Mike weighs in on the growth of the cyber insurance sector. He notes that companies selling these policies have developed “a fairly good idea of what they’re willing to insure and the security measures they require you have in place in order to get a policy.” Mike’s discussion also touches on the increasingly valuable role of vendors that measure a company’s cybersecurity risks and assessment firms that conduct cybersecurity audits.
Of course, may organizations still have a ways to go when it comes to quantifying cybersecurity risks and assimilating cybersecurity programs with ERM. The article, authored by CSO Contributing Writer Maria Korolov, pinpoints several obstacles limiting progress toward those two objectives and then highlights approaches that have proven effective in clearing these hurdles.
The challenges hampering the integration of cybersecurity into overarching risk management programs include:
- Getting lost in translation: “There’s often a disconnect between the language of security and the language of risk, and that can make it harder for a CSO to play a meaningful role in the enterprise risk management discussion,” Korolov writes, noting that “many cybersecurity experts throw up their hands in frustration when asked about how they quantify the risk reduction associated with particular mitigation strategies…”
- An overly tactical focus: Cybersecurity professionals – for sound reasons – tend to focus on “very tactical technical issues,” such as patching vulnerabilities as soon as possible. While this perspective is necessary, it can be helpful to also frame and communicate security priorities in broader business terms. If a patch is needed, for example, the information security group should also estimate and communicate the potential cost – in lost business, remediation and potential regulatory fines – of leaving the vulnerability exposed.
- Quantifying risks is difficult: According to a patch management expert cited in the article, “there is no formula for calculating how much the implementation of each control lowers your risk.” While the art and science of quantifying cybersecurity risks is advancing, organizations should prioritize risks that elude quantification.
- Boards misunderstand cyber risk: Deloitte Partner Dan Kinsella frequently speaks to corporate boards about cybersecurity oversight. He says that some boards have yet to grasp the fluid nature of cybersecurity risks. Once a specific cybersecurity issue has been addressed, some boards tend to consider the matter closed. “That’s not the case with cyber risk.” Kinsella stresses.
Korolov includes high-level snapshots of effective cybersecurity-ERM integrations. Several key enablers of this approach within Aetna provide a clear picture of what is needed to succeed, including:
- Categorization: Cyber risks are treated as an operational risk within Aetna’s ERM framework.
- Involvement: Aetna’s chief security officer (CSO) is a member of the risk committee that governs the ERM program.
- Measurement: “Specific and quantitative” cyber risks are evaluated managed according to the daily risk score as they are assigned.
- Mindset: Aetna’s CSO also stresses that his group risk-management activities and requirements significantly exceed what is required from a regulatory compliance standpoint.
Korolov’s reporting also emphasizes that third party risks further complicate the already difficult challenge of measuring the probability and potential bottom-line impact of breaches. Fortunately, progress is being made – as Mike asserts: “Measuring cyber security risk,” he tells CSO, is “becoming less art, and more science.”