Overcoming Cybersecurity Communications Barriers

By Chris Harner and Chris Beck for CFO.com

During the Napoleonic campaign in Egypt, a French army officer made a startling discovery. While building Fort Julien in 1799, he noticed a slab with writing on it. Now known as the Rosetta Stone, it provided a translation from hieroglyphics to Greek, finally deciphering ancient Egyptian writing.

For many senior executives today, the jargon of cybersecurity may feel like hieroglyphics — a mysterious language that requires translation. There is a significant need in the market to transform cyber assessments, information technology metrics, and information security into the common language of risk management.

Furthermore, there is a lack of consensus on how to categorize cyber risk within a risk taxonomy. The insurance sector often views it as a financial risk, banks may consider it an operational risk, while other industries may see it as a strategic or stand-alone risk.

Assessing the effectiveness of a company’s security protocols often falls short of assessing the more mature risks, such as credit and market. And no wonder: this very technical, high-velocity, and fast-evolving risk doesn’t easily translate to any traditional metrics that company management and board members typically are used to.

This lack of a common vernacular creates a communication barrier between cybersecurity experts and management/the board. In order to bridge the gap, a new approach is required that makes it possible for all of these stakeholders to speak the same language.

To understand the cyber communication disconnect, it’s necessary to first examine who’s doing the talking.

Most of the companies and technologies that power the interconnected world are barely old enough to drive. And the skills, tools, and language of cyber professionals are just as new. In contrast, the core skills and language of finance are well-tested and have been by the side of senior executives and board members throughout their careers.

This communication relationship is akin to a teenager using emojis and text-message acronyms to communicate with someone who doesn’t own a cell phone.

In today’s cybersecurity and risk discussions, senior executives and board members are often confronted with terms specific only to this risk, such as threat vectors, encryption protocols, phishing tests, password cadences, endpoint protections, and dozens of other inputs related to IT security.

Steeped in a vocabulary rooted in computer programming and IT systems, cybersecurity professionals often have backgrounds in coding and systems rather than finance. That can be a drawback in translating the details of a cyber vulnerability into the financial terms used to determine how to mitigate risk.

Further complicating the situation is a class of “nontechnical” chief information security officers (CISOs) who are responsible for cybersecurity and reporting to the board, but who possess neither deep IT expertise nor rich content in risk management.

A Non-Strategic Approach

Of course, the reason we should we care about translating this complex technical language into financial terms is that, depending on a company’s size and other factors, tens or hundreds of millions of dollars could be at stake. Furthermore, executing a sound cyber defense strategy may significantly impact IT headcount and budget needs.

Yet communications between cyber professionals and management/boards remain fractured, because their meetings are rarely held within the context of strategic decision making. That is, the discussions don’t feature consideration of risk appetite and tolerances, cost-benefit analyses, return on investment, operational outcomes, or other financial measures typically used to weigh alternatives and prioritize initiatives.

Think about what would happen if a fire started at work and there had been no fire drills. Without a holistic view and careful understanding of the actions that should be taken when someone yells fire, everybody would just run. However, running during a fire is not as important as knowing where to run and having planned the safest route in advance.

As critical as cybersecurity is, boardroom action on this issue is often reactionary or misallocated due to the difficulty of quantifying the risk, communicating the issues, and prioritizing action.

Today, what passes for cyber risk assessment is really just another controls assessment. Controls exist to mitigate risk; in the cyber arena companies need to shift from mere qualitative assessment to quantitative loss distribution.

Finding a common language — a framework comparable to the one used for other risks — is further complicated by the unique nature of cyber risk. Unlike nearly every other risk, cyber’s ever-changing nature stems from the fact that a human being is at the center of the attack, intentionally working to exploit a firm’s vulnerabilities while outsmarting its defenses.

And thanks to increasingly sophisticated and well-funded perpetrators, this can affect not only the types of attacks companies may experience but also the potential impact of a breach. Not only is the threat of cyberattacks changing rapidly, it often morphs and adapts to cyber defenses faster than companies can keep up.

Moreover, as cyber threats have increased in sophistication, the attack surface is increasing the opportunity for exploitation. Today’s wireless and interconnected ecosystems provide even more opportunities to gain unauthorized access to systems or data. Extended supply chains and growing vendor networks also expand the attack surface, complicating how to determine the actual threat and configure a comprehensive defense.

Meanwhile, the internet of things, the cloud, and other technologies continue to transform the processes and practices of businesses, making their functionality ever more interconnected and interdependent. The effects of one risk event (such as a partial system shutdown in operations) can weaken a management team’s ability to respond to threats in other areas.

New cyber risk frameworks must be able to account for risks that influence one another, often in subtle but substantive ways that traditional, silo-based list management approaches are unable to identify and detect.

Additionally, cyber data is not consistently captured, and there is no longstanding historical data for this risk that continues to evolve. Cyber models must be able to balance industry data, company-specific data, assumptions, and expert judgment to avoid masking a risk that may have eluded traditional methods.

So how do you take the ever-changing nature of cyber risk and its technical components and translate it into traditional — and especially actionable — reporting metrics?

An effective cyber risk model must measure, aggregate, and convert cyber metrics into intelligible reporting linked to the balance sheet, in particular how much capital is at risk in the event of a breach.

This approach allows cyber risk to be reported in the same loss distribution framework as other risks. It also gives cyber professionals the metrics to convert a threat into an estimated loss and thus speak the board’s language.

From this vantage point, a company’s board can decide how much cyber risk it is willing to accept and prioritize the implementation of cyber controls.

With a holistic modeling capability for cyber risk, the CISO and chief risk officer can tell a coherent story to senior management, allowing it to understand budgetary requirements, how to allocate funding more effectively, and how much capital is at risk due to a cyber threat.

An effective cyber risk model will translate the complexities of cyber defenses into actionable metrics, whether they’re visuals, dashboards, or other financial reporting tools. It’s this shared language that can give board members, the management team, and cyber professionals a jumping-off point to determine an acceptable level of risk, prioritize controls, and create actionable goals.