In a new survey for Microsoft and insurance broker Marsh, only 17% of the senior executives surveyed said they spent more than a few days cumulatively over the past year on cyber risk. More than half, 51%, spent several hours or less. Yet 80% of organizations ranked cyber risk as a top-five concern.
If that’s not depressing enough for cyber risk managers, the survey also asked what would most impact spending on cyber risk management and the results were mostly outside influences – FUD, really – not internally generated risk assessments: 64% said “a cyber attack on our organization”, 46% “news of a cyber attack on another organization, etc.
What’s wrong with this picture? Well, as FAIR Institute Chairman Jack Jones, wrote recently Quit Blaming Executives for Cybersecurity Problems.
“In all of my years as a CISO I never encountered an executive who didn’t care about or appropriately support infosec when I could convey it to them in terms they understood,” Jack wrote. “From where I sit, the onus is on our profession to take an honest look at how we understand, measure, and communicate the challenges within our problem space.”
Technical scoring systems like CVSS, red/yellow/green heat maps based on subjective risk evaluation, or maturity models gauging how far along an organization has gone toward NIST Cybersecurity Framework perfection don’t ultimately present cyber risk in the financial terms that business leadership needs to make decisions informed by risk. No wonder they report paying so little heed to cyber risk.
Jack Jones’s creation, the FAIR model quantifies cyber, technology and operational risk in financial terms, and is rapidly gaining acceptance as the standard for quantitative analysis. NIST recently added FAIR as a component of the NIST CSF, and published a “success story” detailing how Cimpress leveraged both standards for risk-based decision making.
Meet Jack Jones at the upcoming FAIR Conference, the leading conference for education and advocacy for better communication of cyber risk in business terms. Representatives from NIST and Cimpress will also be on hand to discuss the Cimpress case study; other conference sessions will explore presenting cyber risk to the board, integrating cyber to enterprise risk management, and aligning threat intelligence with risk quantification.
Now, the survey found that “30% of organizations reported using quantitative methods to express cyber risk exposures, up from 17% in 2017.” But…true cyber risk quantification or just substituting numbers for colors in subjective risk analysis? True quantification enables a business to focus on a specific scenario involving a quantifiable loss event. And, sure enough, the next finding in the survey was that “less than 30%...have modeled cyber loss scenarios.”
Hat tip to Microsoft and Marsh for drawing this conclusion from their survey:
“Many organizations focus on technology defenses and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience."
And recommending this best practice:
“Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.”