The experts continue to bombard us with their advice, insight, and guidance for addressing cyber.
One of those experts, KPMG, recently shared What’s next: Key cyber considerations for 2019. Unfortunately, I don’t think it has much to say that is new or valuable – it points out what we should all already know. Frankly, it’s more a marketing piece than thought leadership.
The FAIR Institute has probably the best methodology for quantifying cyber exposure. Their chairman has penned an interesting document, Understanding Cyber Risk Quantification, a Buyer’s Guide.
He makes a number of points with which I agree, including:
- The cyber risk landscape is increasingly impactful, complex and dynamic, and organizations have limited resources to apply to the problem.
- Furthermore, every dollar spent on cyber risk management is a dollar that can’t be spent on other business or mission imperatives.
- It’s important to recognize however, that measuring risk quantitatively shouldn’t be a goal in itself. What is most important is ensuring well-informed decisions through reliable and meaningful risk measurements (whether qualitative or quantitative).
Unfortunately, the decisions envisaged by the author are what I would call siloed decisions. He talks about funds being allocated for cyber and how the FAIR methodology can be used to decide where to spend those funds.
The FAIR and other methodologies and guidance are not nearly as useful as we need in providing the information that executives need to make strategic and tactical decisions, such as:
- How do I ‘aggregate’ the various risks to my business and its objectives? How do I see the big picture so I can consider whether the potential rewards from a new venture outweigh all the related (downside) risks? A cyber risk assessment using FAIR or other approach doesn’t give me something I can readily add to other business risks to see that big picture.
- How much should I invest in cyber when (as pointed out in the FAIR document) “every dollar spent on cyber risk management is a dollar that can’t be spent on other business or mission imperatives”? When is it right to accept cyber risk?
- How do I compare the value to the business of investing in cyber protection to the value obtained from an investment in new products or a marketing initiative?
I tried to address these and other questions in Making Business Sense of Technology Risk.
Have you seen an approach that works, providing management and the board the information they need to make strategic and tactical business decisions?
A list of risks, or a prioritized list of information assets, is not helpful in deciding whether to launch a new highly-automated product or open an office in Warsaw.
I welcome your thoughts.