Cybersecurity risk management can be a unifying conversation throughout your organization. Few things are more challenging in the cybersecurity business than getting stakeholders to speak in the same language. The business planners are talking supply and demand; the IT department is talking bits and bytes; the HR department is talking wellness and productivity; the C-suite is talking dollars and cents; and the board of directors are talking governance and liability. All these competing challenges make discussions about endpoint solutions, monitoring systems and identity management systems difficult to have.
So how does one overcome the challenge? The answer comes in finding a common interest. And that common interest requires having a common language.
The History of Currency
The concept of currency goes back a while. Ancient China, the Mesopotamians and the Lydians, a group from western Anatolia who are likely the first to have used metal coins for exchange, all understood this concept well.
Medieval Europe gave rise to the merchant banks and letters of credit, where you could make a deposit in one place and use a letter of credit to make a withdrawal in another. Letters of credit provided an early form of security to those traveling between Europe and the Middle East. Because they did not need to carry their money, they were less likely to become targets for robbers.
You can bet your C-suite understands the concept of currency when they’re deciding the next IT and cybersecurity budgets. In order to talk about how cybersecurity risk management fits into that budget, you need to speak the language of money. So who and what provides security for your data while it is deposited away somewhere or traveling along a network?
The ‘War for Data’
Many wars are rooted in the desire to control more resources. You can make a strong argument that the most valuable resource in the 21st century is, in fact, data.
Why is it so valuable? Raw data, on its own, does have intrinsic value, just like many natural resources. But what makes data truly valuable nowadays is what you can do with it: collate it, interpret it, manipulate it, refine it, commercialize it and even abuse it.
Here’s what makes information so unique: it gives you the ability to control what happens in the present and the future. That’s why data, despite how readily available it is, should be treated as today’s most valuable currency and not a commodity. That’s why cybersecurity risk management is so important.
Turning Cybersecurity Risk Management Into a Shared Interest
The path to getting your cybersecurity risk management concerns addressed may all come down to communication and understanding. When you can translate your security and privacy concerns into wellness and productivity concerns, you’re making progress. And if you can up your game by translating artificial intelligence monitoring and infrastructure design into governance and liability issues, then you’re really on the road. This is how you make cybersecurity champions of your colleagues, because you are teaching them .
The way to do this is framing: making your colleagues understand that your data isn’t just a bunch of information, but rather cold, hard cash.
Make Your Message Relatable
If your message is about artifacts and logs, you better be talking to your colleagues in the security and IT department. If you’re not, you’re likely to get a bunch of glossy looks, weird expressions, the ever so polite “mmhmm” or some mixture of them all. This may be a painful thing to hear, but non-security folks usually have about as much interest in cybersecurity as security folks have in non-security matters.
What bridges that gap?
People understand money. They can relate. That’s where your discussion needs to start if you are trying to build allies within your organization. Trying to sell a risk management framework or a cybersecurity risk management assessment is hard on the best of days. Trying to sell that same framework and assessment through a business case or through what the calculable cost of attack would be makes it a whole lot easier.
If security professionals really want to make a change, they need to up their business acumen. Security professionals need to feel comfortable speaking about issues like reputational risk, stock value impact, financial risk, cost of business interruption, disclosure and regulatory penalties and liability payments.
If you really want to get attention, attach metrics to your discussion of cybersecurity risk management.
Back Your Discussion Up With Numbers
What do you think would happen if a chief financial officer walks into the boardroom and says “Someone has stolen millions of dollars from us”?
Jaws would drop. People would gasp and demand to know how something like this happened.
But would you get the same reaction if the chief information security officer walks into the boardroom and says, “There has been a theft: one of our main databases has been compromised”?
Would the “wow factor” be the same? Probably not.
This supports that data and metrics are key. If you’re not sure what metrics to use, a good place to start is the Ponemon Institute’s Cost of a Data Breach Report, published by IBM Security.
You can use the same or similar categories to make presentations to your colleagues.
Why You Should Treat Your Data Like Cash
The moment you really believe data is cold hard cash, you treat it differently. Cryptocurrency is a good example of this. Think about it: a cryptocurrency is just a bunch of 0s and 1s. Because those 0s and 1s are convertible into monetary value, those who own cryptocurrencies take great lengths to keep them secure.
Your intellectual property is also cash. Databases of personal information are cash. And your habits, all recorded in 0s and 1s, are cash.
Why? Because people can collate, interpret, manipulate, refine, commercialize and abuse data.
There is another major benefit of treating your data like cash: you can invest and secure it wisely. Finding solid numbers on the issue of cybersecurity risk management versus cybersecurity response costs are hard to come by, but you can tailor your solution to your need. You do this through risk management. This is where some good ol’ fashioned math comes into play.
How To Talk About Cybersecurity Risk Management
Once you determine your risk tolerances, start crunching the numbers. The moment you have those calculations and metrics, you’re armed with some serious statistics that can help back your case.
For example, you can walk into the boardroom and say, “These cybersecurity risk management measures will cost $100,000 per year. However, they will help us close a gap in our infrastructure that, if left unaddressed, could cost us millions of dollars if we are breached. The recovery costs will be bad, but the impact of such a breach will put our business operations in jeopardy due to regulatory penalties, reputational risk and loss of intellectual property. I value all of these costs to total upwards of $50 million dollars.”
Show executives how valuable data is. For example, “We can afford $100,000 per year because our profit margins are x. Our balance sheet is in pretty good shape, so we can add some assets and depreciate them. The y amounts of costs are manageable year-over-year based on our current revenue stream.”
If you have the data to back up a statement like that and you may find yourself with a few new cybersecurity risk management champions.