Gartner estimates, “By 2020, 100 percent of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually.”
In today’s digital world, cybersecurity is so fundamental to an organization’s success that it needs to be managed like other business decisions. This requires articulating value in the same way as the rest of the business—using the language of finance. However, according to a Marsh-Microsoft Cyber Perception Survey, only 11 percent of organizations express cyber risk exposure in economic terms.
Board members think in business results like return on investment (ROI), net present value and expected loss. It’s imperative to start communicating cybersecurity recommendations this way, not in overly technical explanations such as vulnerabilities, malware strains and botnets. Instead of identifying the most important risks based on the latest exploit, focus your efforts on those with the greatest financial impact.
By aligning security initiatives with quantified business impact, you can describe the likelihood and economic impact of a cyber event across a multitude of threats and recommend strategies aimed at addressing the highest potential for loss. For example, isolating a legacy system containing personally identifiable information (PII) might decrease risk more significantly than upgrading your firewall solution.
According to the EY Global Information Security Survey 2018-19, 87 percent of organizations don’t yet have sufficient budget to provide the levels of cybersecurity and resilience they want. By shifting cybersecurity investment conversations away from fear, uncertainty and doubt to empirical economic data, you will be more likely to get that next security project or budget increase approved. To make the transition, consider these five questions when defining your organization’s cybersecurity initiatives:
1. Can you forecast expected financial losses and probabilities of a cyber event?
2. Do you have the ability to present objective data that converts exposure into financial outputs?
3. Are risk remediation activities presented with cost-benefit analysis to enable informed decision making?
4. Can you justify your budget with ROI for existing and future cybersecurity investments?
5. Is your threat exposure benchmarked against the competition with industry peer comparisons?
Unisys TrustCheck™ enables you to convert the complexities of cyber risk management into high-level financial outputs that are objective, reliable and easy to articulate. TrustCheck incorporates massive volumes of historical breach data to accurately model financial loss. Powered by X-Analytics, the risk engine used to underwrite billions of dollars of affirmative cyber risk insurance, TrustCheck produces board-ready reports that are informative and objective.
When it’s your turn to report to the board, be fluent in cybersecurity economics to champion a cybersecurity strategy that bolsters your organization’s business. To learn more about how to quantify the business benefits of cybersecurity, visit www.unisys.com/trustcheck.
Tags- Cyber Risk Management