Blog Post
The Need For a Shift Up Strategy, Using CRQ for Resilience, Part 2
January 17, 2024
Conducting business, no matter in which industry, is innately risky. Historically, some of the primary drivers of this business risk included natural disasters, hardware and inventory theft, legal and compliance regulations, and economic downturns. However, in the midst of the digital age, cyber threats loom as one of the most prominent forms of organizational uncertainty, housing the potential to cause trillions of dollars in damages.
This relatively novel threat is particularly ominous, more so than other types, given its ability to evolve at an unprecedented pace and capitalize on system vulnerabilities faster than they are discovered. It is amidst this precarious landscape that incorporating cybersecurity management at the highest levels of the organization has become a critical strategy for business success.
Elevating cyber discussions to the boardroom is, in essence, adopting a Shift Up Strategy, which seeks to enhance executive collaboration to ensure resources are effectively allocated in a cohesive, proactive manner. Instead of cybersecurity being framed as a resource-draining activity, decision-makers will understand how initiatives actually sustain operational continuity and contribute to business prosperity.
Leveraging CRQ to Shift Up Strategic Initiatives for Business Resiliency
Cyber risk quantification (CRQ) solutions significantly aid in transforming the executive risk management mindset into one that includes cybersecurity. By translating an organization's cyber risk landscape into projected frequency and potential financial loss according to event type, business leaders without a technical background can participate in meaningful conversations that result in data-driven cyber risk mitigation plans.
Part 1 of this series discussed how CRQ facilitates a Shift Up mindset by highlighting the cyber risks that are most likely to cause significant damage, thereby enabling a prioritization plan that adheres to broader strategic goals. But this cyber initiative prioritization is certainly not the only means by which CRQ helps business leaders shift up. There is a slew of other benefits stemming from this approach.
Optimizing Resource Allocation and Justifying Spending Initiatives
Once leaders have collaborated with the CISO to understand the organization's cyber risk and have considered its implications within their broader business objectives, they can determine which mitigation strategies are the most cost-effective and allocate the budget accordingly.
Because the CRQ models incorporate the organization's internal controls’ maturity states and security environment along with external insurance loss intelligence, the platform can reveal critical financial insights that can guide these spending decisions.
While upgrading specific controls correlates to the reduction of certain event types, it's nevertheless crucial to assess the resources required to implement that upgrade. These resources include the execution costs, costs of operation, and the technical hours required to implement and maintain the new level of control.
For example, if the calculations reveal that the costs of an upgrade outweigh the potential benefits, then it may be more strategic to pursue an alternative action plan. Of course, cost-effectiveness is not the only factor to consider when implementing initiatives. An organization may have to comply with certain regulations, making the upgrade non-negotiable. Still, understanding the economic impacts is crucial when making cybersecurity updates.
As a more concrete example, an organization might discover it is extremely likely to experience a phishing event that will amount to serious financial damage. In that case, the CISO might explore a mitigation action plan that involves investing in and implementing more safeguards into CIS Control 4, which focuses on account monitoring and control. As shown in Figure 4, moving from IG2 up to IG3 has an average effect of reducing monetary losses of nearly $100 thousand.
Utilizing a CRQ platform like Kovrr's, CISOs can easily determine if this investment would yield a positive ROI and communicate their findings to the board. In turn, board members could understand - in financial terms, whether it makes the most sense to invest in upgrading that control, transfer the risk to a third party, or absorb it into the organization's risk appetite.
These data-based, objective insights provide the CISO with a solid foundation for justifying spending decisions to the board and other C-suite executives. Instead of speaking in security jargon that is difficult for non-technical personnel to understand, the CISO can straightforwardly explain the rationale behind financial commitments, fostering transparency and accountability.
Working together, these stakeholders can develop a financially sound strategy that starts from the top levels of the organization.
Developing Risk Tolerance and Risk Appetite Levels
There's an inherent risk associated with every aspect of doing business; cyber is no exception. The digital risk landscape is rife with malicious actors searching for opportunities to hold data ransom and receive a handsome payout. But ransom payments are not the only cost of cyber activities, and even the most innocent-seeming operations will ultimately end up costing a baseline amount of money.
By clearly defining the company’s cyber risk appetite and tolerance thresholds, stakeholders can make quick, informed decisions about which risks are acceptable and can be retained and which require mitigation or transfer efforts. Risk appetite is the amount of risk an organization is willing to take on in pursuit of its goals, while risk tolerance is the acceptable deviation away from that appetite.
For instance, in very simplistic terms, an enterprise with an average annual revenue of $20 million might determine that it has a risk appetite of $3.3 million according to its balance sheet and cash flow position. Even if they suffered a financial loss of that amount, they could still make a profit. However, they might also calculate they could remain resilient even if they ended up losing an additional $500 thousand, making this amount their risk tolerance.
Theoretically, the lower the risk appetite, the more work is required or, the more insurance needs to be purchased to secure the company’s environment. The ultimate objective for any CISO or risk manager is to identify a cost-effective strategy for reducing the organization’s risk to align with the appetite levels agreed upon by upper management. Granted, achieving this goal is much easier said than done and may not always be attainable.
Still, with its ROI insights, objective cyber risk quantification solutions equip CISOs with the means of communicating realistic losses and relative mitigation costs with the board. These high-level executives will then be able to develop financial risk appetite and tolerance levels that more accurately reflect the organization's cyber environment and security posture, bearing in mind that if an appetite is too low, it may end up costing more to mitigate in the long run.
Metrics such as Average Annual Loss (AAL), High Loss Exposure, and Low Loss Exposure significantly aid in this decision-making process. AAL represents the expected yearly loss based on the frequency and cost of cyber events.
This loss amount was determined by running a Monte Carlo statistical analysis, which simulates the upcoming year 10,000 times. For the most accurate forecast, Kovrr's CRQ models leverage past events, global intelligence data, insurance insights, and industry-specific information.
The High Exposure Loss is the amount of money that the organization has less than a 1% chance of losing within the year due to cyber events, and the Low Exposure Loss is the amount that the organization has a 98% chance of exceeding.
In Figure 5, the evaluated organization has a Low Exposure Loss of $239,900, meaning there is a 98% chance it will lose that amount in the upcoming year, given its current cybersecurity posture. This figure indicates that, at minimum, the company should have a cyber risk appetite of roughly the same number.
Executives can then factor these objective financial cyber metrics into the broader business strategy to determine if it's cost-effective to pursue a course of action that would lower their risk appetite. Consulting with the CISO, the CFO may discover that an initiative to mitigate or transfer the risk to a third party may lower the AAL by an amount that outweighs the cost of the initiative.
Business success and longevity depend on preparing financially for the future. However, for optimal resource allocation, this planning must leverage objective data. CRQ models that harness real-world cyber risk figures, global insurance intelligence, and internal log information will produce a highly accurate assessment that ensures organizations will remain resilient and operational, even in the face of their unavoidable cyber losses.
Learning More About the "Shift Up" Strategy at the Shift Up Summit
In March 2024, Kovrr, along with Microsoft, ISS-Corporate, Valence, and Silverfox, hosted the Shift Up Summit to help key industry professionals learn more about elevating cyber risk management to the C-suite, board room, and beyond. Several CISOs from global enterprises shared their experiences, and there was in-depth discussion and practical tips shared on how to best facilitate this necessary cybersecurity transition.
While the event has passed, the presentation slides are available, offering you insights on other ways to incorporate a Shift Up Strategy within an organizational framework.
Enhancing Strategic Resilience With CRQ
As cyber threats continue to mutate and become more sophisticated, it is increasingly vital that organizations embrace a Shift Up approach that includes cybersecurity management at the boardroom level. CRQ empowers CISOs to drive this necessary business transformation by unraveling intricate cybersecurity data and facilitating transparent conversations with executives.
Moreover, leveraging this tool allows the CISO to justify spending decisions according to the business's broader financial risk appetite. By incorporating cybersecurity into high-level strategic meetings, CISOs can help stakeholders recognize that cyber initiatives are, contrary to popular belief, not a resource drain but instead a catalyst for business success. The systematic elevation of cyber into the broader business strategy bolsters resiliency and ensures mitigating cyber risk is a team effort.
To start incorporating a Shift Up mindset into your business approach and creating a system that is more cyber resilient, contact our risk experts today.