In Part 1 of this series on on delivering meaningful metrics to boards, I talked about the need to discuss security risks in ways that relate to board concerns. Many CISOs are reporting the wrong metrics to boards – for example, a malware platform supposedly finding 333 million malware alerts or 234,333 wrong password entries. Without context for the organization and its particular risk posture, these raw numbers are meaningless.
Here in Part 2, I’ll explain how to go beyond raw numbers and prioritize risks, in a way that boards can understand.
Understanding risk inputs and outputs
Here’s a standard risk equation:
Likelihood x impact = risk
That’s pretty simple. So why are we so worried about presenting risks to the C-suite, if that math is so easy? The problem is that cyber complicates the equation in every direction.
For example, when we’re talking about “likelihood,” we also need to know about the likelihood of what – and from whom. We need this extra context so we can complete the equation.
The same is true of impact, which is commonly thought to be something that we CISOs control. But impact is a business decision, and therefore should be determined by business stakeholders who can define the importance of information within an IT system. The job of CISOs is to provide business teams with the framework and methodology for classifying the value of information, without confusing teams with esoteric cyber-babble.
Adding to the challenge of contextualizing risk is that it can be hard to know who’s attacking us and why. Sensational media coverage of high-profile ransomware and DDoS attacks tends to blur the true picture of risk – in other words, which attacks an organization should worry about. As security departments, we need to contextualize the threats applicable to our environments.
Consider the WannaCry ransomware attack, which topped the headlines recently – and which elevated businesses’ fears of becoming the next victim. If most of the machines in an organization are firewalled off from each other, and are accessed by only a small set of users, the risk of falling victim to such an attack is lower than in more connected networks. Perhaps we have legacy systems that can no longer be patched, so we need to understand the data these systems house, and the other systems they are connected to. At the moment, most of us don’t do a good job at this kind of threat assessment.
Risk management to produce relevant metrics
There are some great risk-management frameworks out there that take the traditional risk equation and provide some cyber relevance. However, these frameworks can be onerous to work with, and can require a thorough background in risk management. But there’s an easier way: I’ve created a four-step process to qualify threats and prioritize risks. The process helps us understand who is attacking us, what exactly they’re attacking, and how vulnerable our assets are. Armed with this information, we can create metrics, assign budgets, and prioritize efforts.