One of the biggest security threats to security is management that doesn’t even realise there is a risk. Or, if they do recognise a risk, they don’t take ownership and assume someone else will handle it. For example, in a factory, the production manager may not feel that business interruption risk is their problem if data connectivity goes down. He believes that’s an IT problem, so he doesn’t bother to build redundancy. When the data connection line goes down, he blames IT. He may avoid blame, but he doesn’t avoid the threat itself; the production line still goes down.
Many managers, even if they recognise the risk and agree who owns it, may not comprehend the magnitude or possible impact of the risk. Too often, risk is underestimated. For example, it may be fairly simple to estimate the probability of a communications blackout, since it might happen once or twice a year, maybe three times. If it happens that often, it’s quite probable it will happen again.
What is the impact of these blackouts? By collecting the data on the previous incidents, a cybersecurity manager can answer many questions about impact: How much did it cost to fix? How much damage was caused? Was it direct or indirect damage? Answering those questions provides a clear picture of how much it could cost in internal labour, incident management, external costs, and so on. The nice thing is that when you can quantify a risk, you can ask for a budget to address it.
Quantifiable vs. Qualitative Approaches
Risks like damage to reputation or hindering future growth are hard to quantify, and yet these subjects are top concerns of business owners. Successful risk managers or cybersecurity managers have to address both. If they cannot put a figure on it, they’ll have to sell their plan another way, like telling the story of how things are likely to turn out if the risk is not properly addressed and then defending the estimation of how serious the risk is.
For new business ventures, like a startup that’s launching a new product line, it can be useful to ask them to identify scenarios that could be catastrophic to the business. Help them think about what could be bad enough to bring the company to a standstill. Scenario analysis like this will drive your point home. The simplest kind of scenario analysis is when people come together in a workshop and come up with causes and impacts in a catastrophic business risk scenario. Let’s say they are setting a joint venture with a business partner. In the workshop, they could identify indicators for failure of that venture. If these indicators should appear later, it might mean that the scenario is materialising. This is very close to business management, and a purely qualitative approach to managing risks.
How About Quantifiable Risks?
The ultimate goal of risk management is to quantify risk and make it relatable to the business. Risk management is about minimising the downside of business decisions on all levels of the corporation. That allows the company to take more risks and to take advantage of more opportunities.
Risk managers ask questions like, “Can you tell me how often this potential risk turns into an actual problem? What’s the probability? What’s the impact in terms of money, life, property, downtime, or business interruption?” They will be interested in qualitative and quantitative data.
Risk management people will first identify risks, then try to understand them, assessing each risk either quantitatively (in terms of money ) or qualitatively, if the numbers are vague. They will put the risks in order of priority with the bigger ones at the top. The cybersecurity manager should meet risk management people and make them explain how risk management works in the company, including where to report risks, how they are assessed, and how to participate in the process.
Example of a Quantified Risk
For example, if the business has been experiencing network outages, this is clearly a risk that needs to be assessed and explained. Five outages per year, causing $100,000 loss each, means a $500,000 per year cost. Investment-wise, it would make perfect sense to put money into network resiliency and enjoy a good return on the investment going forward.