Measuring and Managing Digital Dangers
All organizations face an array of risks. These include financial, strategic, operational, compliance, and physical risks — with cybersecurity-related risk acting as an influencer or catalyst to all these enterprise risk areas. While nearly every enterprise uses a dashboard to track their financial risks and decisions, far too many organizations fall short in adopting a cyber risk dashboard. And for the few companies that do use cyber risk scorecards, many don’t fully understand what is being presented (i.e. the dashboards don’t effectively convey the risk to the Board of Directors or the Executive Suite). This failure to properly track and communicate cyber risk is an enormous blind spot for businesses, putting these organizations in a potentially perilous position.
The Building Blocks of an Effective Risk Model
Cyber risk models come in many forms. But the best ones share a couple of key characteristics:
Many people see cyber risk as a nebulous notion — an intangible concept that cannot be quantified. But this is merely a common misconception; quantitative models do, in fact, exist. You can’t effectively manage cyber risk if you’re unable measure it. A strong, yet proven, quantification model will give you the tools to convert complex digital liabilities into measurable metrics — allowing you to translate bits and bytes into dollars and cents.
2. Common Language:
Cybersecurity professionals and business executives sometimes seem to speak in completely different languages. Security specialists have a bad habit of talking in technical terms and jargon, which can be extremely confusing to the C-suite. Cybersecurity specialists need to speak to their colleagues on their terms, using the language of business. Ultimately, the entire enterprise must use a common lexicon to talk about cyber risk. An effective model will help facilitate these conversations — bridging the gap between business and technical personnel — by assigning a specific monetary value to cyber risks.
The cyber risk landscape is ever-changing. As digital threats emerge and evolve, your model needs to be able to adapt accordingly. Additionally, your cyber risk model should accommodate different levels of detail — supporting both users who just want to skim the surface and others who wish to dig deeper into the weeds.
Common Pitfalls When Designing a Dashboard
Setting up a cyber risk dashboard can seem like a daunting endeavor. But it doesn’t have to be, if you avoid these common pitfalls:
1. Preparing rather than doing:
When designing a dashboard, it’s easy for organizations to over-prepare. Executives can get paralyzed in the planning stage, but never get to the doing phase. There’s no need to endlessly plan for perfection. First get a scorecard in place, then you can iterate accordingly.
2. Compiling too much data:
As we’ve seen, risk can come in many forms, producing a massive amount of data. It can be tempting to try to incorporate all of this information into your scorecard. But this is a fool’s errand. If you wait until you’ve collected every last datapoint, you’re never going to get your scorecard started. Getting 100% of the data is really great, but that may not always be possible — or even necessary. Instead, start with a smaller and manageable chunk of data that can handle basic quality control and then go deeper from there.
3. Lack of employee buy-in:
Whenever organizations implement significant changes to operations, there is often pushback from employees. Sometimes people are simply too comfortable with the status quo of qualitative assessments and stoplight charts; other times people feel too busy to be bothered with the extra effort. This resistance can come from any employee in the enterprise, including those from senior leadership. Therefore, it is critical to have a committed executive team that champions the need for quantitative risk models. Remember: A culture of cyber resilience starts at the top; if leadership buys in, then a security culture can and will filter down throughout the organization.
Why CyberVista Chooses FAIR
In January 2018, CyberVista aligned our Executive Cyber Risk Training programs with the Factor Analysis of Information Risk (FAIR) model. FAIR is the only international standard quantitative model (accredited by The Open Group) for information security and operational risk. And we’re not the only ones who are fans of FAIR: approximately 30% of the 100 largest U.S. corporations now use FAIR for cyber risk analysis.
Unlike other models, FAIR puts a premium on precision, by presenting information risk in financial terms. No more awful, ambiguous heat maps or confusing color coded charts. FAIR quantifies cyber threats, making them measurable — and, therefore, manageable.
Take a look at the sample cyber risk dashboard posted above. Notice how cyber risk is broken down into clear categories (Legal & Regulatory Compliance, Data Integrity & Protection, etc.). Each category is then assigned a specific, quantifiable risk level. Trend lines are tracked over time. The dashboard allows executives to quickly see where their enterprise stands on cyber risk -- what’s going well and what areas are in need of improvement.