The science and art of security come down to two things: quantifying and managing risk. Do both of those things well, and you’re much better positioned to prioritize your exposures and protect your organization.
In Episode 5 of our SON OF A BREACH! podcast series, CRITICALSTART CTO Randy Watkins kicks off a two-part series focused on the finances behind security. Our CFO Andrew Kaufman joins Watkins to calculate the value of security and the cost of risk for your business.
“I don’t think you can ever take a risk profile to zero, especially in cybersecurity,” Kaufman says. “You never know what else is out there and what threat actors are doing and concocting. …The goal is not reducing your liability to zero, it’s about reducing your liability to a point you can get comfortable around.”
Kaufman’s accounting and financial leadership includes more than 16 years of experience in software, technology, and creating internal controls in financial reporting, particularly for high-growth technology firms. With that experience, he’s able to bring calculations of “cost impact x probability = quantifiable risk” to life with real-world examples.
“There are going to be times where the cost is just too high to mitigate the risk,” he says. “We recognize there is an open liability, but the cost to either install internal controls, or place technology around it, may be too high. That may be a point in time we look at transferring risk. That’s where the cyber risk policies and cyber risk insurance have really stepped up in the last several years.”
Q&A – Quest for Limited Liability with Andrew Kaufman
The following is an abbreviated Q&A based on Watkins’ conversation with Kaufman in Episode 5 of our SON OF A BREACH! podcast series. Be sure to tune in to the entire conversation.
Watkins: Let’s start with talking about quantifying and managing risk. As CFO, how would you start in calculating risk if you’re a CISO?
Kaufman: Cybersecurity really was bred out of a compliance checkbox approach. There’s regulation: how do I stay in tune with that regulation, and stay compliant with that regulation? But that doesn’t really, objectively go after the risk associated with a cybersecurity attack. I think from the CISO seat, it needs to be less about mitigating controls and more about outcomes. What are the potential outcomes that could happen from a cybersecurity breach, or a malware incident, or anything like that? What are those outcomes and what am I trying to prevent? Then you start looking at how much risk is associated with each one of those events.
Watkins: Risk is impact times probability. We’re looking at what’s the cost of this going to be if it happens. That often seems to be the point where a lot of people get stuck. Where do those dollar amounts come from?
Kaufman: For every organization, you’ve got to think about what is the potential that I’m going to have downtime, or I’m going to have loss of revenue, or I’m going to have a denial of service that’s going to cause me this amount of heartburn. It’s really getting down to each organization’s operations and understanding how a potential cyber event may affect that organization. So if an attack puts me out of commission for a day, what are my operating costs for that day? What is my loss of revenue for that day? If I lose data, what is the cost of going and spinning up backup? And how long will it take me to get back online?
The CISO doesn’t necessarily have to do this in a vacuum. They may want to quantify certain amounts of things that could occur in a cyber breach. But the CFO can help come behind that with true dollar figures of loss of revenue, costs associated with downtime, all of those things.
Watkins: You can spend all day qualifying and quantifying the risk, but you have to make a decision on that risk eventually. Once you have the risk calculated by the dollar amount, then what would you expect to see put into that?
Kaufman: The threat landscape today is not going to look the same as it does six months from now, with how fast threat actors are moving, evolving, etc. Once you get to that probability-times-cost output, it’s really important to run sensitivity analysis on it. In the event your probability changes, what type of change is that going to make to my overall exposure risk?
And it’s important that this doesn’t only occur within the CISO’s organization. So it’s getting others involved, it’s bringing this information to light at the executive level. You’re seeing a lot more corporate governance board involvement in cybersecurity risk, because it’s become such an area of major liability. And so you want to bring those (calculations) to those individuals, and let them also ascertain whether they think the outcomes, the dollar amounts, and the probabilities associated, seem reasonable.