US$6 trillion – that’s the damage that Cybersecurity Ventures predict that companies worldwide will lose to cyber attacks by 2021.1 In another study by CGI-Oxford Economics, a typical ‘severe’ cyber security breach represents a permanent cost of 1.8% of a company’s value. And when the total impact on shareholder value is taken into account, the 65 ‘severe’ breaches sample that was conducted in the study cost investors upwards of US$50 billion.2
While companies are more prudent in managing cyber risks, the traditional compliance-based approach is no longer sufficient. More often than not, vulnerability reporting is couched in technicalities that aren’t relevant to management. Neither does it inform them about the risks faced nor how their investments are reducing those risks.
In an environment that is growing increasingly digital, businesses’ approach to risk management must also evolve from subjective, checklist and compliance-driven methods to risk models that are driven by data.
CISOs are realising that a risk-based approach is necessary to successfully mitigate cybersecurity risks and freeing limited resources to focus on the company’s important assets. It also ensures effective communication at the higher level in terms that the business can understand.
Additional benefits of a data-driven cyber risk management:
Reporting – gives a holistic view of the risk landscape and priorities, in a language that is easily understandable.
Defensibility – evaluates and prioritises risks based on a sound methodology. Aligns project selection with corporate strategy in a quantitative way.
Transparency – meaningful comparison of risk reduction benefits of projects aligned with strategy.
Automation – transforms information into high level insights, priorities, actions and effective decisions.
Adaptability – quantifies risk exposure holistically, modifies stress tests in a risk landscape, shuffles priorities based on corporate strategy.
Effectiveness – maximises risk reduction benefits with available resources, efficient allocation of non-financial assets, reduces risk by focusing on overall risk landscape.
To achieve consistent reporting, cyber risk management needs to be driven by data. Historically, there has been limited integration particularly with business impact modelling. Today, we are able to benefit from tested methodologies and a variety of data sources. The methods are designed in such a way that assumptions can fill gaps where data sources aren’t available. What we have learnt from our experience with our clients:
By adopting a risk-based data-driven approach to cyber reporting, companies will move from looking at potential losses from cyber attacks to reaping returns on sound cybersecurity investments.