CFOtech Australia logo
Technology news for Australian CFOs and financial decision-makers
Story image

Hard numbers: Why ambiguity in cybersecurity no longer adds up

By Contributor
Tue 17 May 2022

Article by MetricStream APAC managing director, Michel Feijen.

There are places where ambiguity and subjectivity work well – but measuring your cyber risk exposure isn’t one. 

One place where clarity is required is in the C-suite. As both cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys. 

When trying to gauge the effectiveness of their company’s cybersecurity, one survey found that 72% of CEOs receive metrics that “lack meaning or context,” and 87% “need a better way to measure the effectiveness of their cybersecurity investments.”

As MIT Sloan Management Review notes, “Often, executives as well as directors spend too much time studying technical reports on such things as the numbers of intrusion detection system alerts, antivirus signatures identified, and software patches implemented.” These things often get delegated and limited to the IT department but ideally, dealing with and addressing cyber security risks should be strategically managed by the top management so that risk management is not just incidence-based. 

Cybersecurity increasingly needs to learn to speak a different language. Current reforms in multiple countries - notably, Australia and the United States - would expose individual directors and executives to personal liability for cybersecurity risks. The proposals also seek to record the “substance of how a company manages its cybersecurity risk.”

That’s a profoundly different position on risk - and not one that is conducive to qualitative or ambiguous ‘traffic light system’ type representations.

The traditional approach has been to rank risks as high, medium, and low, or assess them in terms such as “probably likely to occur” or “somewhat likely to impact the business.” 

These categorisations are too vague in the modern world. Security teams might think a medium risk needs to be mitigated, but the management team might argue that it can be accepted. Defending your point of view can be tough because the term ‘medium risk’ sounds quite ambiguous.

It gets more challenging when teams have multiple risks that are all ranked medium. Which one do you focus on first? Do you spend the same amount of time and resources managing all three risks? It’s difficult to know for sure with non-quantitative metrics.

Organisations face thousands of IT and cyber risks a year. The challenge is to determine which risks should be dealt with first. Likewise, there may be hundreds of possible security controls; which one will yield the greatest benefits for the least cost? 

These are questions that CISOs must have an answer to. And to do that, they need quantitative data. Ambiguous terms must be converted into hard numbers.

Do the math

Enter cyber risk quantification - a process for measuring IT and cyber risk exposure in monetary terms. 

It’s intended to help practitioners and their employers determine which risks to prioritise and where to allocate cybersecurity resources for maximum impact.

Typically, cyber risk quantification uses sophisticated modelling techniques like Monte Carlo simulations to estimate the value at risk (VaR) or expected loss from risk exposure.

By quantifying the monetary impact of a risk event, questions like “How much should we invest in cybersecurity?”, “What will be the return on investment?” and “Do we have enough cyber insurance coverage?” can be more confidently answered.

Uncertainty is minimised when cyber risk exposure is expressed in clear and precise terms. It becomes easier to direct security investments when it’s known how much the risk will cost and how much a particular control can help lower that cost. There’s much less debate and confusion about the top three cyber risks, why they’ve been ranked that way, or which controls are most relevant to mitigate those risks. The data is already there for everyone to see.

Multiple stakeholders benefit from such clarity. CISOs gain a deeper understanding of risk impact, which helps them make data-driven decisions. Boards have more visibility into what’s at stake for the business in terms of dollar value. And executives can effectively prioritise cybersecurity investments, driving alignment between cyber programs and business goals.

Six things to keep in mind 

To quantify cybersecurity risk, organisations should consider six important points.

First, establish a common risk language. If everyone in the organisation has a different definition for each IT asset, threat, or vulnerability, it will be difficult to communicate and defend risk decisions. Standardise the risk nomenclature as much as possible.

Second, cyber risk quantification is a collaborative exercise that goes beyond the IT security department. Engage other divisions in identifying critical risk scenarios. The more perspectives that are brought to the table, the more comprehensive your risk data will be.

Third, cyber risks and threats are constantly evolving. A risk that was critical a year ago may not be as important or relevant anymore. The only way to know is to re-quantify risks at regular intervals – maybe once or twice annually.

Fourth, it’s neither efficient nor effective to cover all possible threats and risk scenarios at once. Pick one important use case and work on that before moving forward.

Fifth, automate wherever possible. Manual cyber risk quantification processes can be both complex and time-consuming. Automating those workflows can help measure a large number of risk exposures faster.

And finally, quantification isn’t a cure-all: Cyber risk quantification should enhance, not replace, other IT and cyber risk management processes. Its value is best realised when complemented with risk monitoring, qualitative assessments, internal audits, and issue management processes.

While no organisation can ever be fully immune to threats and risk, smart and calculable risk quantification, management, and measurement can help organisations get better at mitigating risks. 

Related stories
Top stories
Story image
Tech job moves
Tech job moves - Bitdefender, Cohesity, Fortinet & MODIFI
We round up all job appointments from June 27-30, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Digital wallets
NFTs are ready to disrupt the ticketing world
The last few months have seen NFTs wielded by digital creators to take ownership over their craft and content. Now other industries are beginning to understand the real-world value that these nifty decentralised tokens can provide.
Story image
Artificial Intelligence
Juniper study reveals top AI trends in APAC region
Juniper's research shows an increase in enterprise artificial intelligence adoption over the last 12 months is yielding tangible benefits to organisations.
Story image
Infrastructure
New VMware offerings improve cloud infrastructure management
VMware has unveiled VMware vSphere+ and VMware vSAN+ to help organisations bring benefits of the cloud to existing on-prem infrastructure.
Story image
Sustainability
Honeywell launches new carbon energy management software for buildings
The new Carbon & Energy Management service allows building owners to track and optimise energy performance against carbon reduction goals, down to a device or asset level.
Story image
SaaS
Sealord partners with Infor to improve sustainability
Sealord has chosen Infor as a strategic partner to implement an operational cloud-based platform that provides day-one functionality and sustainability gains.
Story image
Accounting
One in five Aussies never reimbursed for work expenses
A new survey has exposed Australian employee job dissatisfaction, with many being left out of pocket for work expenses. 
Story image
Digital Transformation
What CISOs think about cyber security, visibility and cloud
Seeking to uncover the minds of CISOs and CIOs across Asia Pacific, my company recently asked Frost & Sullivan to take a snapshot of cloud adoption behaviour in the region.
Story image
Hybrid workforce
Why hybrid working is here to stay and how to ace it
Citrix's new report reveals hybrid workers are more productive and engaged at work than their office and completely remote counterparts.
Story image
MarTech
Martech experts reveal the “buzz” on personalisation
In the digital age, innovative technology must be leveraged to power an efficient and effective relationship marketing strategy.
Story image
Cryptocurrency
NOWPayments launches new service to analyse cryptocurrency fees
NOWPayments has launched a new network fee optimisation solution that analyses current network fees and picks the most profitable option out of the client's payout wallets.
Story image
Public Cloud
Public cloud services revenues top $400 billion in 2021
"For the next several years, leading cloud providers will play a critical role in helping enterprises navigate the current storms of disruption."
Story image
Cybersecurity
Video: 10 Minute IT Jams - An update from CrowdStrike
Scott Jarkoff joins us today to discuss current trends in the cyber threat landscape, and the reporting work CrowdStrike is doing to prevent further cyber harm.
Story image
Samsung
Monitors are an excellent incentive for getting employees back
The pandemic has taught us that hybrid working is a lot easier than we would’ve thought, so how can the office be made to feel as comfortable as home? The answer could be staring you in the face right now.
Productivity
Discover the 5 ways your ERP may be letting you down. Is your current system outdated, difficult to manage, and costing you a fortune?
Link image
Story image
Robotic Process Automation / RPA
Salesforce announces latest generation of MuleSoft
Salesforce has introduced the next generation of MuleSoft, a unified solution for automation, integration and APIs to automate any workflow.
Story image
API
Industry-first comprehensive risk-based API security enhances protection
Application Programming Interfaces (APIs) have become a crucial part of operating web and mobile application businesses and are causing significant economic growth in the digital sector.
Project management
Discover the 4 crucial factors for choosing the right job-costing solution. Is your team struggling to cost jobs and keep projects running on budget?
Link image
Story image
Market growth
Salesforce unveils new offerings for consumer goods companies
Salesforce has announced new products for consumer goods companies to help brands navigate increasing market complexity more easily.
Supply chain
Discover the 4 critical priorities for wholesale distribution businesses in FY23. Are you worried about how supply chain issues may affect your business in 2023?
Link image
Story image
Gartner
Gartner's top recommendations for security leaders
"Leaders now recognise that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, philosophy, program and architecture.”
The Access Group
Struggling to understand which transformative technologies will help your business? The Access Group provides a look into key opportunities and impacts for finance.
Link image
Story image
Macquarie Data Centres
Macquarie deal to pioneer CO2-cutting data centre tech in Australia
Macquarie Data Centres has signed a multi-year deal with ResetData, an Australian first provider using Submer data centre technology. 
Story image
New Relic
How to tackle the great brain drain in the tech industry
Attracting and retaining tech talent in Australia and New Zealand is becoming increasingly challenging, with the 2022 Hays Salary Guide showing a startling 91% of employers facing a skills shortage.
Story image
Artificial Intelligence
Accenture shares the benefits of supply chain visibility
It's clear that gaining better visibility into the supply chain will help organisations avoid excess costs, inefficiencies, and complexity to ultimately improve their bottom line.
Story image
Accounting
Four factors to consider when choosing the right job accounting solution
Progressive job-based businesses can achieve success by strengthening their ability to quantify every cost attributable to the delivery of an outcome for a customer.
Story image
Contact Centre
Customer service agents don't want to return to contact centres
A new report has revealed that 85% of customer service agents want to work full-time at home and not return to contact centre offices.
Story image
Digital Transformation
Stax and Consegna partner to accelerate modernisation
According to a statement, the new alliance will help both companies expand their reach across the region and realise joint goals.
Story image
Airwallex
How Airwallex helps businesses achieve globalisation success
As markets continue to shift, businesses need to be able to provide the same quality of service for customers regardless of where they are located around the world.
The Access Group
Health and social care organisations are currently under significant financial pressure. Find out how financial transformation can help provide an effective route forward.
Link image
Story image
Tech job moves
Tech job moves - ActiveCampaign, Arcserve, LogRhythm & Qlik
We round up all job appointments from June 17-22, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Payroll
How New South Wales state departments achieved cloud migration success
State departments in New South Wales are heading to the cloud to achieve better workflow solutions, and one company is paving the way for their success.
Story image
Data Protection
Five signs your business is ready to move to the cloud
Many organisations are thinking about moving to the cloud. But what are the signs you are ready, and what are the reasons to move?
Story image
Enterprise Resource Planning / ERP
Five ways your ERP is letting you down and why its time for a change
Wiise explains while moving to a new system may seem daunting, the truth is that legacy systems could be holding your business back.
Story image
3D Printing
Fleet Space, Konica Minolta partner for 3D printer offering
Fleet Space has partnered with Konica Minolta to implement 3D printers from 3D Systems to support the commercial small satellite manufacturer’s offerings.
The Access Group
Increasing headcount isn't always the best way to grow. A good financial strategy can help solve many issues, and The Access Group shares the secret to success.
Link image
Digital Transformation
Discover the 5 signs your business is ready for a cloud-based ERP. Is your business being left behind as more of your competitors switch to the cloud?
Link image
Story image
Talend
Forrester names Talend Leader in enterprise data fabric
Forrester has named Talend a leader among enterprise data fabric providers in the Forrester Wave: Enterprise Data Fabric, Q2 2022 report.
Story image
NaaS
Survey finds 94% of Australian IT leaders looking at NaaS
Aruba’s latest survey reveals a rising interest in NaaS among Australian technology leaders as they re-evaluate their current infrastructure and network setup.
Story image
MSP
Video: 10 Minute IT Jams - An update from CyberArk
Olly Stimpson joins us today to discuss the importance of MSP programmes and how MSP partners are experiencing success with CyberArk.
Story image
Attack
Phishing attacks are making a comeback
No matter what approach or tool cybercriminals use to breach a network, they all have one thing in common: access.
Story image
Music
Mastercard reveals first-ever album titled Priceless
Mastercard's music album Priceless has been unveiled at the Cannes Lions Festival of Creativity and features 10 songs by 10 artists worldwide.
Story image
Wiise
Four things wholesale distributors need to consider for FY2023
In a post-pandemic world, there are many things for a distribution business to juggle. ERP solutions company Wiise narrows down what companies should focus on.
Story image
Citrix
The best ways to attract young talent during labour shortages
New research from Citrix reveals hybrid working and ventures into the metaverse are top of mind for Gen Z workers.