I recently presented on this topic at an MISTI conference for IT auditors.
My theme started with the fact that it is impossible to eliminate cyberrisk — the potential for a breach of our corporate network to harm us in some way. (I should say that we should be talking about "cyber-related business risk.")
While spending money to shore up our defenses will hopefully reduce the number and frequency of intrusions, the hackers' tools and techniques continue to develop, and we are constantly adding potential points of weakness as our use of technology grows. A recent survey said that the great majority of organizations don't have a good handle on how many addressable devices (Internet of Things) are now attached to their corporate network.
We can mitigate the effect of an intrusion with a combination of timely detection (the average time to detect is an appalling 9 months or so), incident response, encryption and other safeguards, and contingency planning.
But investments in cyber will not eliminate the risk.
So how much should we invest?
How much cyberrisk should we be willing to take?
I suggested that we need to understand and assess the risk.
But it is the risk to the objectives of the enterprise we should be assessing, not some measure of threat to IT assets or services. In other words, what is the cyber-related business risk.
How could a breach affect our business and the achievement of corporate goals?
How could it affect revenue, market share, earnings, and reputation?
What is the level of risk — to the enterprise?
If we can assess the level of risk, we can start to consider alternative ways to address the risk.
If we invest x dollars (whether in people, tools, or services), will that reduce the risk by more than the investment?
Can we tolerate the risk? Can we tolerate the cost of a breach?
According to one survey I read, the average cost of a breach is "only" US$208,432. IBM and the Ponemon Institute disagreed, saying it was US$4 million. Rand pointedly said that was incorrect, that the cost is less than US$200,000.
Whichever number is correct, the average cost of a breach is not as alarming as many if not most might believe.
According to Rand, "cyber incidents cost firms a mere 0.4% of annual revenues on average. By comparison, overall rates of corruption, financial misstatements, and billing fraud account for 5% of annual revenues, followed by retail shrinkage (1.3%), followed by online fraud (0.9%)."
I am not saying that we should accept cyberrisk as a cost of doing business.
I am saying that we should invest in cyber defense, detection, and response commensurate with the risk.
We have other uses for the funds and resources!
I am also saying that if we are to adopt the new and disruptive technology that will drive the business forward, we should be willing to accept some reasonable level of cyberrisk.
Some in the audience vocally and loudly disagreed. They said that reducing security weakness and other IT-related risks to dollars and cents, allowing management to say remediation costs were more than the risk justified, would send the wrong message. It would say that some IT-related risks should be accepted.
Sorry, but that is the right message.
Every organization's assessment of cyber-related business risk (or any risk, for that matter) will be different. It will vary depending on their business and how they conduct it, their public image, how they value their reputation, and so on. It will also be affected by regulatory guidance and oversight.
Every organization's investment in addressing cyberrisk should be tailored to its level of risk — recognizing that the level of risk is likely to change.
Where does that leave me?
That there are greater risks than cyber.
The risk of being left behind by our competitors when it comes to leveraging new and disruptive technology is typically far greater.
The cost of a delay in or even the failure of a major systems enterprise resource planning implementation will probably be several times the cost of a breach.
So let's make intelligent decisions about investing in the management of cyberrisk.
Let's not cry out that the cyber sky is falling.
I welcome your thoughts.
PS – see here for an article on cyberrisk regulations proposed for U.S. banks. Note that they are also risk-based.