Risky Business: Making Cybersecurity Investments During Uncertain Economic Times

/
Risk Road Sign Concept-1-1

“Uncertainty is the only certainty there is…”, John Allen Paulos – mathematician and author.  

This quote captures the unpredictable nature of life.. No matter how much we plan, conditions change–and in business, that means risk.

This blog post is contributed by GuidePoint Security, a FAIR Institute sponsor. Author Ben Moreland is Risk Practice Director  at GuidePoint Security

 

.

Whether you’re a CIO, CISO, or an IT/Cybersecurity professional, you’re in the business of managing risk. And right now, the current economic landscape is making that job even more complicated. Let’s look at a few recent shifts that are reshaping how companies operate, invest, and price their goods and services:

 

Economic Policy and Federal Restructuring

  • Federal Hiring freeze and mass layoffs, part of a broader effort to reduce government size and spending.

Monetary and Financial Policy

  • As of May 7th, the Federal Reserve, under leadership of Chairman Jerome Powell, maintains the federal funds rate at 4.25% to 4.5% adopting a cautious “wait and see” approach amid economic uncertainties.
Trade and Tariff Developments

  • Tariffs on Chinese imports, steel and aluminum, proposed Tariffs on BRICS nations’ goods…

 

Government software procurement has slowed. For many organizations this may mean tighter software budgets, pressure to consolidate platforms, and more aggressive strategies for vendor negotiation.  Stable but high interest rates can result in companies passing costs to consumers via price increases or subscription fee hikes.

What is cybersecurity risk? 

First, let’s look at what is risk, really? Risk is the effect of uncertainty on objectives. For businesses, that usually means organizations view risk through a lens of loss: How could we lose money, credibility, or operational capacity?  Here’s how the various types of risk relate to each other: 

 

  • Enterprise Risk: How uncertainty impacts an enterprise’s mission or objectives.
  • Enterprise Risk Management: A strategy to understand risk across the organization, not just within silos.
  • Cybersecurity Risk: The loss of confidentiality, integrity, or availability of an organization’s information and technology data and systems, and how this loss impacts an organization’s reputation, revenue, or operations. 
  • Cybersecurity risk management is important for helping security professionals prioritize investment of resources (e.g., people, time, technology, budget).  

 

However your organization defines and documents these risk types, it’s important to establish a consistent taxonomy and common language. This is especially true for cybersecurity where technical risks must be understood by business decision-makers, not just IT or the security team.

Risk Frameworks: Tools to Help You Start 

There are a lot of well-known risk frameworks to choose from.  It may be overwhelming, but don’t wait for perfection, just start somewhere and iterate. Examples of the most widely used risk frameworks include:

 

  • NIST SP 800-37 Rev. 2
  • NIST SP 800-39
  • Factor Analysis of Information Risk (FAIR)
  • COSO (2017) - Enterprise Risk Management
  • ISO 31000:2018

 

Quantify Cyber Risk with FAIR

The World Economic Forum recently stated that  CISOs must “quantify cyber risk”--not just explain threats in technical terms. It’s important for CISOs to be able to frame cyber threats in terms of  business impact, not purely technical challenges.The FAIR standard enables risk to be quantitatively defined, measured, managed and communicated. In FAIR, risk is interchangeable with a loss event or risk scenario.

 

  • Here is an example: Risk Scenario = Asset + (Threat Actors + Intent) + Methods + Loss Effect + Frequency

 

This structure helps CISOs translate cyber risk in a language that the board or Executive team and business decision-makers will understand. It also makes it easier to understand the potential business impact with regard to loss, financial exposure, or operational impact.

Applying FAIR methodology at your organization

GuidePoint Security Apply FAIR Method Illustration

A Framework like FAIR can provide your organization with a solid methodology for translating cybersecurity risk into business risk, enabling more effective cybersecurity risk management during these uncertain economic times. 

If you’re ready to evolve your risk program–whether that’s your framework, methodology, process, or technology, GuidePoint Security can help. For more information on our service offerings, our partnership with the FAIR Institute, and more, please visit:  GuidePoint Security

https://www.guidepointsecurity.com/

 

 
image 37

Recent Blogs

SEE ALL