Use Historical Trends to Improve Cyber Risk Assessment Processes

Various standards and regulations require organizations to perform cybersecurity risk assessments on a periodic basis; ideally, annually or whenever there is a change to the operating environment. Risk assessments involve evaluating the likelihood and magnitude of cyberthreats and the impact of mitigating controls. Results often include a list of the most significant risks and related controls for addressing such risks, along with areas where controls are missing (i.e., control gaps) or need to be matured.

What organizations do with that information — how they evaluate and prioritize which controls to mature and which gaps to address — is crucial to their overall cybersecurity strategy. Taking the next step, while avoiding a misstep, is essential.

Executive leadership is responsible for implementing an organization’s overall digital strategy while striving to balance its appetite for risk. A key element of this balancing act is deciding how to allocate limited resources for determining what levels of risk to accept, mitigate and transfer (for example, with cyber insurance).

These options involve trade-offs for security, so it’s critical to get the decision-making process right. That’s where the emerging practice of cyber risk quantification comes in. It’s a crucial tool as organizations seek to make the most of limited cybersecurity budgets.

As Gartner notes, risk quantification is well established, but organizations are just beginning to understand how to apply these principles to cybersecurity. Gartner recommends that organizations take advantage of professional services and emerging applications that can help them choose the right tools to support risk quantification, identifying the best use cases for cyber risk quantification and incorporating data inputs in a way that leads to a better decision process. 

Let’s take a high-level look at cyber risk oversight and how that affects the way organizations assess, prioritize and remediate security gaps.

Cybersecurity is mission-critical for every organization. This means the board of directors should provide heightened scrutiny of an organization’s cybersecurity practices. Recent court rulings have increased the pressure on public company boards and corporate officers to fulfill their “duty of loyalty” obligations. These responsibilities include establishing information systems to monitor risks, respond to red flags for noncompliance and communicate risks to shareholders. Without adequate cybersecurity risk oversight, directors and officers may be legally liable.

Corporate governance calls for boards to provide oversight to ensure that policies and procedures are in place and that they are consistent with an organization’s strategy and risk appetite. That understanding informs organizational decision-making related to resource allocation to address cybersecurity gaps, mature existing cyber controls and transfer risk via cyber insurance.

In the past, many organizations responded to cybersecurity risks by allocating resources without effectively assessing the threat impact, largely because it was difficult to consistently and easily quantify cyber risk dollar exposure given the evolving nature of cyberthreats. However, with costs rising and risks evolving, leading organizations are starting to apply a more considered risk-based economic approach based on potential financial loss, resulting in better allocation of cybersecurity resources. This evolution is largely the result of an emerging approach using cyber risk quantification tools that incorporate industry and business-specific factors to estimate a range of outcomes based on historical trend data. It also better aligns with how cyber insurance underwriters evaluate cyber risk.

Cyber risk quantification tools support a rational, data-driven approach to cyber spending across cyber risk categories and facilitate a greater understanding of how organizations can better comprehend the implications of their decisions to spend money on controls and cyber insurance.

Story by Larry Burke, CPA, CGMA, CITP, a principal with the Global Security Strategy Office of Focal Point.  He serves as an executive leader providing governance, risk and compliance advisory and assurance services, mostly to large global organizations operating in industries under various regulatory and industry frameworks including SOX, NIST, ISO, COBIT, COSO and FTC consent orders.  He also serves as the lead audit executive for several internal audit outsource and co-source engagements reporting to the Audit Committee.  Before Focal Point was acquired by CDW in 2021, he served as the managing partner of Focal Point Data Risk Assurance, which is a CPA firm that issued SOC 1/2/3 and HITRUST reports.  Previously, Burke served as the CFO of a national healthcare services firm. He has also held progressive financial leadership positions in both publicly traded companies and in public accounting.  He is a doctoral candidate in the executive Ph.D. program at Florida Atlantic University.