One challenge for information security professionals have long struggled with is the ability to speak to enterprise leaders and boards of directors in a language they understand. Breaking down vulnerability types, CVE scores, or APT names just doesn’t fly in the boardroom.
What does fly is numbers.
CISOs who have found a way to translate threats and risk into quantifiable losses or risks to the business have had more success in gaining resources, including financing for new technology or staffing investments.
In this episode of the Claroty Nexus Podcast, Alexander Antukh, the chief information security officer at AboitizPower, the Philippines’ largest owner and operator of renewable energy, discusses one path toward that end: cyber risk quantification (CRQ).
CRQ is the process of calculating risk exposure and its impact on the organization, Antukh said, adding that CRQ enables him to talk in business-relevant terms, potential financial impact, and the way his organization calculates risk.
“Start to speak the language that everybody in the world understands; we speak the language of dollar values. We do not need to speak the language of matrices,” Antukh said. “There are benefits that are associated with the fact that we have that language of dollar values.”
Those benefits, he said, include the ability to calculate and articulate a return on investment of a proposed initiative, based on an understanding of the financial impact of cyber risk. Antukh’s office, for example, works from a baseline of 10 risk scenarios for his business.
“And then by quantification, we can understand what are the ranges of the possible and likely financial impact there,” he explained. “Having that, we also can prioritize our risks accordingly, both the risk treatment and the remediation strategies, and we can justify the budget and future investment here. So it's really, I think we would need to think about it as a tool to make better decisions in terms of our risks and in terms of how to move forward with those.”
Antukh says that CRQ within operational technology (OT) environments may be more cut-and-dried that a strictly IT calculation.
“For OT, it is very common to calculate daily revenue and daily revenue losses and contractual obligations as the source of data for quantification,” he said. “So we would say, ‘Hey, we have a plant there. We know that on a normal day, we would produce, let's say, energy and we'd be able to sell that for, I don't know, let's say 100K.’
“We know that if we do not provide that, and if we have a disruption, then we also would need to pay a certain penalty; it's very one-to-one. So it's quite easy to say that if there is ransomware, if there is some kind of operational disruption and so on, and we expect it to last between six and 10 days, then the impact would be X, and we just multiply, and that's it. So in that regard, it's in a way easier than IT, for example, to estimate what's the cost of a data breach when personal data is leaked.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.