It’s that time of year when chief information security officers (CISOs) prepare their budgets for the following year. But even with all the lengthy budget meetings and analysis, getting the budget you need is rarely easy. Communication of cyber risk to other stakeholders is often insufficient, as they struggle to fully internalize what the risk means in terms of financial impact. Yet, by taking a data-driven approach to analyzing the frequency and severity of potential cyberattacks, CISOs can then present clear, quantifiable numbers. When boards and other stakeholders see these numbers, then they can be more receptive to providing adequate funding.
The status quo problem
CISOs tend to find themselves at an impasse. On the one hand, you are expected to protect and ultimately create value for your business and your stakeholders. On the other hand, you are expected to cut unnecessary budgets… but not everyone agrees on what is necessary or unnecessary.
Maybe one year you convinced your CFO to provide some budget to invest in security. But the following year, the CFO wonders why you spent so much when none of the attacks you warned about materialized. Of course, that was the goal of these investments, but don’t expect all stakeholders to follow that logic.
Not only is this situation frustrating, but it puts your job at risk. If a major incident occurs, it doesn’t matter if it wasn’t your idea to cut the security budget…you’ll probably be the one to suffer the consequences.
The need for quantification
How can you overcome these issues and get the budget you need?
Some CISOs require a fixed percentage of the company’s overall IT budget. Others ask for a predefined increase based on last year’s budget.
But ultimately, these approaches don’t tell you anything specific about the risks you face. amount.
Thus, CISOs can solve this problem by presenting real information, quantifiable numbers on the frequency and severity of your company’s risk based on data from past events. This frequency/severity information can then translate into potential dollar losses.
This specificity tends to resonate more with boards of directors and other members of the C-suite than when conversations are based on intuition, hype cycles, or the use of approaches such as risk levels. color coding.
Remember: when it comes to securing a budget, your target audience doesn’t necessarily focus on specific vulnerabilities and controls. They want to know if something bad happened, what would be the financial impact?
Once they have that number, they can focus on areas such as:
- How much should we allocate to risk mitigation (eg new/better controls)?
- How much should we allocate to risk transfer (for example, by purchasing cyber insurance)?
- How much are we willing to retain and risk?
By framing the conversation in this context, it is usually easier to then develop a relevant and sufficient budget.
How to quantify cyber risk
Cyber risk quantification can be done by modeling the impact of an attack based on past events, similar to what is done to quantify natural disaster risk. Kovrr uses both third-party cyber event data as well as proprietary data from cyber insurers and companies.
Having this insurance data is particularly useful, given the magnitude of the claims they handle.
While it is possible to use some traditional analog methods to analyze past events and model what cyber risk means in terms of exposure, using an automated platform like Kovrr that continuously feeds quantization models with new data tends to be a more efficient and effective approach. From there you can watch ascending elements which apply to cost management of specific areas such as business alignment, training, awareness and safety culture.
Now is the time to quantify cyber risk
With budget season approaching, CISOs can’t afford to wait. Now is the time to be able to explain financially the risks you face and what you can do to manage those risks. This way, you can add value by notifying stakeholders of potential losses and then receive sufficient budget to properly manage your cyber risk.
To learn more about how Kovrr’s modeling technology can help you quickly quantify your financial exposure, before diving deeper into budget conversations, contact us today.