Communicating Business Risk: Why Existing Cybersecurity Metrics Fall Short

How do you communicate the business risk context of your cybersecurity program to your organization’s C-level executives? This is a question I grapple with every day in my role as a cybersecurity leader.

Security and risk management leaders have an arsenal of frameworks and controls at our disposal with which we can measure the most granular facets of our programs. While such metrics are invaluable in helping us manage the day-to-day operations of our teams, they fall short when it comes to finding a way to speak to our business leaders.

When you're interacting at the C-level or even at the audit committee level — which more often than not is the board entity responsible for security — executives want to understand what impact your cybersecurity program is having on the organization’s ability to fulfill its core value proposition. Yet, a global commissioned study of more than 800 business and cybersecurity leaders conducted by Forrester Consulting on behalf of Tenable reveals that 66% of business leaders are — at most — only somewhat confident in their security team’s ability to quantify their organization’s level of risk or security.

This is not to suggest that security leaders are doing something wrong. Rather, it shines a clear spotlight on an unavoidable reality: Current ways of measuring cyber risk don’t provide the business context organizations require. Over half of security leaders surveyed lack confidence that they have the technology or processes to predict cybersecurity threats to their business while roughly two-fifths are unsure they have the data.

Cesar Garza, CISO at Home Depot Mexico in San Pedro, Mexico, describes the challenges in a single word: “Findings.” In an interview with Tenable, Garza said “For us, determining our level of cyber risk is not that hard. We have maturity assessments, vulnerability assessments, penetration tests and all sorts of audits and assessments sent to us by [global corporate headquarters]. The hard part is what to do with all the findings. Most of the findings require investment, OpEx for the rest of eternity, increasing workforce or investing in new technology.”

How do we calculate cyber risk?

Cyber risk is a function of your assets, security controls, threats and vulnerabilities at any given point in time. Without knowing which assets are most critical to your core business value, it’s impossible to arrive at an understanding of which cyber risks represent an actual threat to your business. Once you’ve determined your most critical assets, the next step is to understand which of the tens of thousands of threats and vulnerabilities facing your organization each year actually pose the greatest risk to those core assets.

According to the Forrester study, fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. The majority of security leaders polled (56%) are not applying business risk management objectives to their vulnerability prioritization processes. Only half (51%) say their organization works closely with business stakeholders to align cost, performance and risk-reduction objectives with business needs. And just one in four report that they regularly review the security organization’s performance metrics with their business counterparts.

The Forrester study also reveals:

• More than half of security leaders (56%) say their organization lacks good visibility into the security of their most critical assets.
• Approximately 60% of respondents report high or complete visibility into risk assessments for on-premises employees, but only 52% can say the same when employees are remote or working from home.
• Just 51% report having high or complete visibility into systems used by contractors or partners and 55% report the same for their third-party vendors.

You can’t calculate cyber risk without business context

The two most common questions I get asked by senior business leaders and the board include: “Are we secure?” and “How does our program compare to peers?”

But, unlike our business counterparts, security leaders have limited objective data upon which to build the cyber risk equation of assets, security controls, threats and vulnerabilities required to answer both questions. No existing framework captures the entirety of our operation, leaving security leaders to cobble together a hodgepodge of measures. Without an objective measure of the business context for each of our assets, our cyber risk calculations can only take us so far.

Indeed, according to the Forrester study, fewer than half of security leaders consider the industry benchmarking frameworks they use to be very effective in accurately reporting on business risk. And more than half say they are not doing an adequate job benchmarking their security controls.

At the same time, there are so many variables involved in any organization’s attack surface that achieving industry-wide consensus on security metrics is likely to remain a holy grail for the foreseeable future. No organization can ever claim to be 100% secure. All we have is our informed calculation of what’s considered an acceptable level of risk, which allows us to make business decisions about how far to go once we’ve addressed a reasonable level of exposure.

So, how can you work with what you have in order to begin bridging the disconnect between cybersecurity and the business?

There’s no one-size-fits-all answer but we can turn to LafargeHolcim IT EMEA in Madrid for one example. “We evaluate our penetration ratio throughout the different layers of protection in place,” said Jose Maria Labernia Salvador, the company’s head of IT security and internal control, in an interview with Tenable. “This helps our business to understand the potential exposure in our landscape and determine their risk appetite throughout the cybersecurity value chain. Our model is KPI-oriented and is data- or segment-oriented agnostic, as you never know what will be the initial attack vector with potential to move laterally and harm our organization.”

Using the data you have to get to where you need to go

Risk is relative, not absolute. We will always have risk within the enterprise. The question is whether we reduced or increased our risk by taking a particular business action. What the currently available security assessment options do is give you the ability to snap a chalk line, so you have a starting place from which you can begin to identify the work needed to further refine your security program.

At Home Depot Mexico, Garza turns to Tenable.io with Lumin to achieve “visibility in almost real time of our current level of cyber exposure. We can prioritize cyber risks and have all this in one screen.” He noted that the organization is in the process of building an executive dashboard that will give visibility to its C-level executives.

There is no one-size-fits-all approach to identifying the key risk indicators that matter most to your organization. All we can do, as industry professionals, is work together to begin formulating the kinds of business risk metrics that will be most meaningful to C-level business leaders.

To that end, I leave you with the following list of the questions I’ve been asked by boards and C-level executives in the course of my career:

• What and/or where are our most critical risks, functions, and assets?
  • What are you doing to protect them?
• How mature is our program compared to the industry and our peers?
  • What is your roadmap to improve our maturity?
• How is our security program resourced compared to competitors or peers in our industry sector?
• Are our most business-critical functions more secure today than they were a year ago?
• What are we doing about (insert latest headline-grabbing vulnerability here)?

My hope is that these will spark your own ideas for other business risk indicators worth measuring so that, collectively, we can find better ways to achieve alignment between cybersecurity and the business.

Read the blog series: How to Become a Business-Aligned Cybersecurity Leader

Blogs in this series focused on the challenges of aligning cybersecurity and business and why cybersecurity leaders struggle to answer the question "how secure, or at risk, are we?". We also examined what COVID-19 response strategies reveal about the business-cyber disconnect, discussed why existing cybersecurity metrics fall short when communicating cyber risk, explored five steps for achieving alignment with the business and provided a view into a day in the life of a business-aligned cybersecurity leader.

Learn more:

• See additional study highlights here
• Download the full study, The Rise of the Business-Aligned Security Executive
• Read the blogs
  • Aligning Cybersecurity and the Business: Nobody Said It Was Easy
  • Why Cybersecurity Leaders Struggle to Answer the Question ‘How Secure Are We?’
  • What COVID-19 Response Strategies Reveal About the Business-Cyber Disconnect
• Download the white paper, What It Takes to Be a Business-Aligned Cybersecurity Leader
• Read the eBook, How to Become a Business-Aligned Security Leader
• Listen to the Cyber Exposure Podcast series, "Interview with Tenable CSO Bob Huber"
• Save your spot for our upcoming webinar and live Q&A on Sept. 30, "The Rise of the Business-Aligned Security Executive"