Enterprise risk management (ERM) is the process of assessing risks to identify both threats to a company’s financial well-being and opportunities in the market. The goal of an ERM program is to understand an organization's tolerance for risk, categorize it, and quantify it.
When companies look at enterprise risk, the traditional approach is to look at financial risks, regulatory risks and operational risks. What happens if the exchange rate drops and the interest rate rises, if new drugs don't get FDA approval, or if your main warehouse burns down?
To make the calculation, you take the potential impact of an event and multiply it by the odds of that event happening. For low-impact events, even a high probability of occurrence won't affect the company's total risk exposure by much, while for high-impact events, even a low probability of occurrence is potentially devastating.
Risks posed by the cybersecurity threat landscape are increasingly part of the ERM equation, and that poses a challenge for CISOs and other senior security professionals. Quantifying the business impact of a cybersecurity event is a very difficult, if not impossible task, and quantifying the likelihood of such an event is even harder.
Enterprise risk management process
Some companies are doing it. At Aetna, for example, cybersecurity risks are considered part of operational risk in the company's enterprise risk management framework. These risks are specific and quantitative. In fact, there's a daily risk score that gets fed into the ERM system.
CSO Jim Routh is not only responsible for this process, but is also a member of the risk committee that provides governance for Aetna's ERM program. "Security is growing in significance to effective enterprise operational risk management," he says. "Tight alignment with both the ERM and crisis management programs is essential."
It's not enough to just go by compliance requirements, Routh adds. "The rapid evolution of threat actor tactics requires consistent evolution of control design and effectiveness," he says. "Regulatory compliance is essential, but insufficient to achieve enterprise resiliency."
Focusing on business impact is a different way to think about cybersecurity, and it requires a different mindset than that of tactically responding to cybersecurity threats. Cybersecurity used to be all about preventing attacks, and a breach either occurred or it didn't.
"Now, most organizations understand that cybersecurity is not a problem to be solved but a risk to be managed," says Andrew Morrison, US leader of cyberstrategy defense and response at Deloitte & Touche. "Most of the market is acclimated to the fact that it's not longer if an attack will occur but when an attack will occur and how we will manage it. That entails a totally different mindset. "Risks, by nature, can be accepted, mitigated, or transferred," he says.
There's often a disconnect between the language of security and the language of risk, and that can make it harder for a CSO to play a meaningful role in the enterprise risk management discussion. In fact, many cybersecurity experts throw up their hands in frustration when asked about how they quantify the risk reduction associated with particular mitigation strategies, and instead point to media reports about breaches, cybersecurity frameworks like NIST and FAIR, or operational metrics when asked for validation.
In ERM frameworks, the word "risk" carries a very particular meaning. Cybersecurity leaders who come up from the technical side, as most do, tend to focus on very tactical technical issues, rather than bottom-line impacts. For example, if a vulnerability isn't patched, there's a risk that attackers will exploit it to steal data.
A business-focused description of the same problem, however, might be that patching the vulnerability will reduce the probability of a breach to a particular database, which, if exposed, will cost a particular amount of money in lost business, fines and remediation expenses. Now, the company can determine whether a mitigation plan would make bottom line sense — or if the reduction in risk isn't significant enough, or the database isn't critical enough, and the company is better off spending time and money elsewhere.
According to some experts, this isn't possible. "There's no formula for calculating how much the implementation of each control lowers your risk," says Matt McBride, EVP for digital transformation at Genesis10, which helps companies develop plans to address cybersecurity issues such as patch management.
Instead, McBride says, he helps companies prioritize risks based on what the biggest threats are. "But we're not measuring the specific change in risk based on implementing a particular tool or application. We can talk about moving an organization from a high-risk posture to a medium-risk posture to a low-risk posture."
No cybersecurity framework will quantify the economic value that results, however, McBride says. "In my experience, companies don't talk about a particular value for lowering risk.
Instead of talking about bottom-line risks, cybersecurity professionals often try to sell a story to their board to justify the budgets. "They get caught in throwing FUD around," says Brian Reed, analyst at Gartner, Inc. "Everyone knows there are scary stories out there to frighten you."
It's time to stop scaring scared people, Reed says. "The second problem is when cybersecurity technologists get in front of board members and senior management, they focus on a lot of geeky coolness," he says. "It's a lack of communication between technical people and business people. It's the same problem we've always had. Business people don't understand technology problems, and technology people don't know how to prove business value."
So, for example, a CSO going in front of senior management to talk about budgets might turn to news headlines as a crutch, such as a big new vulnerability that affected other companies, as an opportunity to delve into technical details and create some emotional impact. "Did something happen in the news?" says Matt Wilson, Chief Information Security Advisor at Pennsylvania-based consulting firm BTB Security. "Did it cause people to attack us more?"
If they try to put a risk-related number on it, it's very subjective, Wilson says. "They'll put some guidelines about what each number means, but they're honestly made up when people are scoring it. It's not like financial transactions, where they can calculate percentage of fraud, which is a fairly straightforward metric that's been honed over 50, 60 years or more."
Dion Lise, principal at One World Identity, a San Francisco-based cybersecurity consulting firm, says he hasn't yet met anyone who's solved the problem of calculating cybersecurity risk. "Most ERM frameworks are built around the known issues," he says. "There are no known issues in this space. Every event has been unprecedented. How do you calculate unprecedented risk?"
Instead, CSOs are focused on operational issues, such as reducing costs, he says. When it's time to evaluate risk, or to judge the efficacy of their security programs, they turn to anecdotes. "Target had a breach, so-and-so had a breach, fifty million users have been exposed on Facebook," Lise says. "But nobody is at the point of saying, 'This is a $40 million risk and I want $10 million to fix it.' I haven't heard that conversation from anyone I know. There aren't enough data points to calculate it."
It will take a shift from a tactical to a strategic mindset, he says, and increasing cooperation between financial actuarial experts and technologists, Lise says. "I think it's a new discipline, where IT and finance need to get together and coordinate."
Quantifying cybersecurity risk an uncertain science
Wilson and Lise aren't the only ones saying that it's too early to put hard numbers on cybersecurity risks. "Even the really big insurance players right now aren't widely promoting cyber insurance policies," says Nathan Wenzler, chief security strategist at AsTech. "They exist, and they're becoming more of a thing, but there's no static actuarial data that's consistent across the board."
What about vendors promising risk scorecards? "In my opinion, it is mostly hype," Wenzler says. "Vendors that tout their scorecard don't often talk about the fact that it's very time consuming to determine the risk factors and classify all the assets and organize it and document it so that you can then feed it into one of these systems."
Artificial intelligence (AI) and machine learning can help, but it still requires human analysis to make the final decisions — and that's a lot of hard work. However, for some companies, the effort pays off. "A few companies have gone through and identified criticality levels for all their business units and data, and they're in a better position to get automatic reporting out of it to get their single pane of glass about their risk," Wenzler says. "But if you want that view, it's a ton of work. I consult with a number of companies on this kind of thing, and most haven't done that."
To generate useful scores and metrics, companies have to classify every asset, including data, and the roles they play in the company, and the importance of those business functions and that data, Wenzler says. "If you've done all of that leg work, and put together all of that data, you can put it into your ERM system that will crunch all that data down and give you a scorecard."
More and more CSOs are being asked to do just that, says Jon Oltsik, senior principal analyst at Enterprise Strategy Group. "There's a transition happening." The risk numbers are estimates, and it's difficult to get the right data and make the right assessments, he says, but CSOs are figuring out how to do it. "That's what the business people want to see," he says.
Cybersecurity does have some specific challenges, like third-party risks and black swan events, but that happens in other areas of business, too, says Jim Reavis, CEO at Cloud Security Alliance. "There's probably a degree to which it's more unpredictable," he says. "But we have a lot of data out there, and a lot of organizations are focused on it."
The growth of the cyber insurance sector is one example of how cybersecurity risk is being calculated, says Michael Jordan, senior director at Santa Fe Group, a consulting firm that helps companies evaluate third-party vendors. "They've got a fairly good idea of what they're willing to insure and the security measures they require you have in place in order to get a policy," he says. There are also vendors that will measure a company's risk from the outside, looking for exposed systems, and assessment firms that will conduct cybersecurity audits. "It's becoming less art, and more science," he says.
How to calculate the impact of a cybersecurity event
Business impact is the first half of the cybersecurity risk equation, and can be the easiest part, especially for large companies. "In Fortune 500 companies, there are usually ERM programs already in place," says John Pescatore, director of emerging trends at SANS Institute. "It's a key starting point. The business focus on risk is usually pretty well established for any company that's been in business for a while."
However, the cybersecurity aspects might not be as established, Pescatore adds, and this is an area where CSOs will need to work together with business units. For example, he says, FedEx is used to planning for risks of disruptions that happen around Christmas, because it's a busy season for the shipping company. In 2017, however, a ransomware attack hit in June and did an estimated $300 million worth of damage. "That happened to them," he says. "But they weren't used to thinking about that."
Regulated industries have compliance frameworks that can help identify areas where cybersecurity attacks could have an impact, such as PCI in the retail industry, HIPAA in health services, and the various frameworks that apply to financial firms, publicly traded companies, and government contractors, but they're just a starting point, says Pescatore.
Take PCI, for example. The Payment Card Industry Security Standards Council focuses on protecting credit card information. A ransomware attack that takes cash registers offline might not involve a data breach but can still cause a company significant financial pain. "It wouldn't be a PCI issue because no data is exposed, but sales would go down, and the lines would get longer, and it would be a major financial impact," Pescatore says.
Identifying critical business process that may be affected by cybersecurity events is a vital job, but many fall short, Pescatore says. "A lot of CSOs are not knowledgeable enough about what is critical to the business and have not been succeeding at this."
How to calculate the probability of a cybersecurity event
Calculating the potential impact of an incident addresses only half of the risk equation, however. To calculate the probability of an incident is an equally difficult task.
Sovos Compliance, which helps companies with their taxation and compliance requirements, has tackled this problem with an outside-in approach. CSO John Strasser came to the company five years ago specifically to establish an information security program for the entire company, and the infosec ERM process has actually paved the way for the rest of the company, he says.
It is absolutely possible to calculate the risk that a particular vulnerability or other security issue will cause damage to the company, Strasser says. "I say that definitely, but also with a bit of understanding that there is a level of observational and qualitative agreement that the company has to use."
Strasser sits down with the company's CEO and CTO at least once a year and determines the risk values for both the impact and the likelihood of cybersecurity events. "From there, you can perform all manner of calculations," he says. "You can turn that into specific metrics that drive the actual risk scores down, so you can track your general risk posture over time. It does help provide a lot of clarity in the actions you take."
The first half of the risk calculation, the impact, is based on the direct and indirect costs to the company of an event, such as losing a data center or a set of data. Then, to calculate the likelihood of an event, there's a combination of public data, internal inputs, and external testing. For example, with a data center, a company can look at publicly available information about the frequency at which earthquakes and fires occur.
That data is harder to find for cyberattacks. To get these numbers, Sovos uses third-party penetration testers to judge how easy it is for someone to break into the systems -- the more time it takes, and the higher the level of skill required, the lower the probability that an attack would be successful.
"I don't think anyone has a magic bullet to judging efficacy of controls," Strasser says. "What we are left with is continual testing of the controls, with vulnerability scanning and red team-blue team and advanced penetration testing."
When can boards stop worrying about cyberattacks?
Cybersecurity risks are frustrating for corporate boards, says Dan Kinsella, partner at Deloitte Risk and Financial Advisory. "I talk to boards often on the topic," he says.
In the past, a risk would come up before the board, the company will come up with a plan to deal with it, and it's done. "The topics has been addressed and the board never has to talk about it again." For example, if there's a risk of a fire, a company might decide to install sprinklers and buy fire insurance. Then, unless something changes, the board can move on to other topics, he says. "Are we good? We're good, thanks. That's not the case with cyber risk."
In fact, not only is the cyberthreat landscape continually evolving, but technology is permeating all aspects of business at an increasing rate. Every company is now a cyber company, and every business process has a cyber component.
"Cyber risk is here to stay," he says. "It's not coming off the table. In the movie The Matrix, you have the red pill and the blue pill. The matrix is real. We have this whole other world out there. It's an incredibly broad and diverse risk domain, and it’s here to stay."