The CFO’s Perspective: Steps to Quantifying Cyber Risk

Written by

Does an increase in spending lead to an overall reduction in risk? Not necessarily. An organization may spend millions on network security controls but still get breached through an application code vulnerability.

New attack methods and new technologies to deal with them show up all the time. So, to maximize efforts at assessing security risk, resources must be allocated such that the most effective tools and strategies are used to protect the most important information assets.

Understanding the risks and potential costs of a data breach is crucial. How would a company react if its information was disseminated to the wrong audience? What could it cost the business? While many people think “it won’t happen to me,” or assume that someone erroneously receiving sensitive data will just be honest and delete it, the news is filled with examples that tell us otherwise.

There is now a strong correlation between a breach event and the breached company’s value following the news. An example is Equifax, whose stock fell 31% post-breach. 

Given events like this, we’re seeing a shift in how organizations approach data security from a financial perspective. According to Gartner, by 2022, 30% of Chief Data Officers will have enlisted the help of their CFOs to formally value the organization’s data assets for improved management. Also by 2022, more than 30% of businesses will use financial risk assessments of their data assets to prioritize investment choices for IT, analytics, security and privacy. 

As a CFO who works for a security company and is responsible for our company’s own security budget, I find the following three steps to be effective to begin protecting sensitive data and guide security teams in making the right strategic security investments.

Formally define the organization’s risk tolerance - Start by determining the company’s risk tolerance. This is an exercise that involves leaders up to the board level. Are you risk-takers or extremely risk-averse? The answer may differ depending on what needs to be protected. Developing an understanding of tolerance levels to protect the company’s assets in a practical manner gets us beyond a culture of fear and into one that empowers participants to make strategic decisions.

Take inventory of sensitive data and evaluate solutions based on security requirements - A persistently difficult issue that finance teams face given current data-sharing practices is protecting sensitive data like financial statements and customer or employee information. It is crucial to take inventory of sensitive data within the organization and to understand the variety of data risks your organization faces so that you can plan and prioritize protections accordingly.

Based on what you need to protect, choose solutions that are in alignment with those specific security requirements. You should have basic protections like network and perimeter security, firewalls and sandboxes, and endpoint security. Also be sure to also employ a data-centric approach, where the data itself is protected through encryption and real-time access controls.

Assess organizational risk - Generally speaking, quantifying risk will consist of two factors: the probability of an event happening and the potential cost (impact) if it does (Risk = Probability x Impact).

To assess probability, it’s essential to have a partnership with the IT organization to determine where data resides, what the current security posture is and how data is accessed. Knowing where and how you are vulnerable is imperative, particularly when the answer is beyond your comfort or risk tolerance level. 

Take note of your organization’s security policies and, more importantly, how consistently those policies are implemented and managed. If you are SOC2 compliant, your risk will be mitigated by the controls identified within the internal bounds of your system.

Also take into account policies and practices for data that leaves your repositories, such as information that is shared with outside vendors, investors, customers, banks and other constituents. It is important to identify what data goes outside of the organization and assess what protection methods are used. 

To assess cost, you need to consider and understand the nature of the information being held and the potential financial impacts to your organization for lost revenue, litigation, privacy regulation penalties, contractual penalties and reputational damage.

Having a thorough assessment of risk is a strategic imperative and an organizational priority. Companies that invest the time and resources to assess their risk will be less susceptible to unnecessary risk and more resilient in the event of an incident.

What’s hot on Infosecurity Magazine?