The purpose of a CISO and a cyber program is to reduce the costs associated with cybersecurity. I said this to colleagues at a social mixer this week and their heads almost exploded. “Shouldn’t we be trying to stop and mitigate risk?” “We need to spend more money on cyber, not less.” “I can’t believe you, of all people, think we need to be doing less!”
“Do you want to give up and let the bad guys win?” I want businesses to understand that cybercrime is a part of business in the exact same (not metaphorical) way as shoplifting, employees stealing office supplies, customers slipping on the floor, vandalism, executives abusing power against employees, hurricanes, power failures, earthquakes, flooding and taxes.
The goal in all risk management is to reduce the costs associated with the mishaps not to make them impossible.
If the damages of losing electricity to a business is $1M per incident and the rate of mishap is once every 48 months, the following is a reasonable solution:
- $500k for a generator every 8 years to extend the mishap rate to every 96 months. Investment over 8 years: $500k plus a single $1M loss is $1.5M instead of the $2M in losses unmitigated. This saves the business $500k over 8 years.
The following would be an unreasonable business solution:
- $2M investment in uninterrupted each year reduces the mishap rate to nearly 0. Over 8 years, $16M will be spent in preventing $2M in losses. That’s $14M worth of bad planning.
Good Cybersecurity programs are no different.
The Critical Numbers in Cyber Security
Most of the last 20 years, I have spent my waking hours creating the following numbers for organizations:
- Costs of a successful cyber mishap (breach) by type
- Rate of attempted mishaps
- Rate of successfully disrupting mishaps
- Cost of successfully disrupting mishaps
Cost of Successful Cyber Mishap
Every organization has different costs associated with different types of cyber mishap. Each type of breach has the following potential costs:
- Public Relations (PR): Impact of market losing faith in the company
- Lost Revenue/Production: Direct loss of revenue from service disruption
- Theft: Loss of capital and assets
- Competitive Loss: Long term damage from losing protected information
- Legal Jeopardy: Lawsuits from government agencies and private consumers
Organizations that properly build Incident Response Plans have all stakeholders involved because IT and Cybersecurity departments don’t have the expertise to know how many social media followers they will lose or who has standing to file a lawsuit or how many days an outage delays the supply chain.
The best source of information is looking at the last time a mishap occurred and the costs it generated. Otherwise, run through the steps of the incident response plan keeping a tally of the associated costs.
Rate of Attempted Mishaps
A modern security platform (like WitFoo Precinct) automatically generates how many attempted cyber mishaps occur. Examples of mishap types include:
- Theft of Protected Data
- Disruption of Service
- Extortion (via Ransomware)
- Trespassing via Credential Theft
- Financial/Wire Fraud
- Infrastructure Attack
- Violation of Corporate/Organizational Policy
- Service/Hardware Failure
No sustainable cybersecurity practice can exist if the unit of work cannot be metered. In cases where the cost of a mishap type is high but infrequent, planning can be made around a conservative rate (once a year) or an actuary can be hired to develop a prediction.
Success Rate and Costs
With attempted mishaps/breaches/attacks documented, they can be analyzed to determine if they were successfully stopped by the tools, personnel, and processes in pace.
Compliance with Readiness
Most businesses must maintain levels of cyber hygiene to do business with their customers or vendors. Many industries must also meet compliance requirements established by law. Compliance by itself doesn’t reduce the costs associated with cybersecurity mishap but when deployed in a holistic strategy, it can drive down mishap costs while meeting vendor and compliance requirements.
WitFoo Partners, like Impelix, provide Advisory Workshops utilizing machine data driven assessments from WitFoo Precinct and strategic expertise to achieve all the business goals at the most sustainable price.
In developing a Cybersecurity Program, it is critical to understand the costs of a mishap, to develop a plan to minimize those projected costs while reducing risk.
Cybersecurity decision makers need to understand compliance, readiness and most importantly the goal of reducing the costs associated with cybersecurity. Sustainable, strategic spending that reduces costs while reducing risks is the new frontier of cybersecurity.