Vizzini: “He didn’t fall? Inconceivable!”
Inigo Montoya: “You keep using that word. I don’t think it means what you think it means.” -
-- The Princess Bride
There has been many a professional conversation with peers and clients where I have heard the words “Inconceivable!”. “The ‘Inconceivable!’ to the business has been reduced because our firewalls blocked X packets this month. Because we closed X change tickets this month our ‘Inconceivable!’ is lower.”
Like a moniker scrolling above these conversations goes, “You keep using that word. I don’t think it means what you think it means.”
Why do we keep acting like business risk is solved through technology and operations alone, and why do we think firewall packets blocked and ticket resolved informs business executives and aligns with business goals?
As security professionals, like Vizzini, our perceptive can tend to be self-absorbed in our understanding of ‘security’ and we’ll lead with our line whether it fits the conversation or not.
Board Perspective
“Nobody cares how many packets your firewall blocked. If security reporting doesn’t reflect your business goals, you’re doing it wrong.” - Cyber Balance Sheet
Security Operational metrics have their place in business risk; it just isn’t in the boardroom to support informed business decisions. Operational metrics mainly measure threat, remediation ticketing, and compliance. Each one of these are an important metric for secure business. However, these metrics are a cost to business and by themselves do not align directly with a business’s revenue and margin. So why do we use these metrics as our primary communication tool to the board?
What is Cyber Economics
Cyber economics is the combination of traditional economic theory with specific field-based statistical methods and data. The specificity is cyber-based events that have caused financial impacts. This includes data breaches, business interruption, ransomware, fraud, property damage, and human casualty resulting from malice or error.
In other words, cyber economics is the study of how organizations choose to employ limited cyber-based resources, which could have alternative uses, to produce various financial results for today and the future.
No matter the size of the business, every business has finite resources. As a result, executives have to make tough decisions and gamble based on the data that sits in front of them and pivot as the data changes in the future.
What is Expected Loss?
Expected loss refers to the sum of the values of all possible losses, each multiplied by the probability of that loss occurring over a stated period of time (such as the next twelve months). This value:
Sets a meaningful baseline, regulates attention to the problem, and speaks at all levels within the organization.
Summarizes the combination of the organization's exposure profile, threat profile, and cyber maturity mixed with the macroeconomic cyber risk condition.
Informs the risk resilience strategy and minimizes hype
What is Expected Loss Tolerance?
Expected loss tolerance refers to the organization's resilience threshold. This is where the cost of cyber is considered material, which means it adversely impacts reputation, revenue, and profit.
If expected loss is below this threshold, then maybe the organization can reallocated cyber budget to other critical needs of the organization.
If expected loss is above this threshold, then maybe the organization will need to reprioritized its larger budget and assign more resources to its cyber resilience strategy.
In Summary
Cyber risk has become a business risk. The conversation must evolve to represent cyber risk in business terms.
Paraphrasing Vizzini, "lets not fall victim to one of the classic blunders-the most famous of which is, “never get involved in a land war in Asia”, but only slightly less well-known is, “Never go against a Boardroom with security metrics when actual business risk is on the line!”."
Lets not be Vizzini, lets be willing to accept when something doesn’t fit, and adapt the way we communicate.