RSA 2024: What's On the Agenda at the Biggest Security Event of the Year?

How to Quantify Cyber Risk in Financial Terms

Businesses now largely understand that cyber risk is a business risk, says Clar Rosso, CEO of (ISC)², a nonprofit security training and certification organization. “It’s evolving to a point where boards and C-suites understand that to successfully manage risk in their businesses, they need to think about information security risk as much as they think about financial risk,” Rosso says.

But that raises questions about how much cyber risk, exactly, businesses should take in different situations. Although the news is replete with stories of organizations losing millions of dollars due to data breaches — in ransoms paid to criminals, lost business, reputational damage and more — putting an accurate dollar figure on the level of risk has been elusive.

“We’re seeing tight budgets and people scrutinizing where to make investments,” says Buck Bell, head of CDW’s global security strategy office. “They’re looking for guidance by which to evaluate the financial impacts of the risks they face.”

Past efforts in this area have been dry holes — to the point, Bell says, that some organizations believe attempts to accurately quantify cyber risk is a fool’s errand. CDW, though, has recently developed a tool that does just that, he says.

The Security Program Assessment and Risk Quantification tool calculates risk by combining cybersecurity insurance data with well-established security best-practice protocols, such as the one developed by the National Institute of Standards and Technology. “This is real, no-joke actual insurance claims data, not some theoretical modeling that may or may not be true that tries to value data with a series of abstractions,” Bell says. “Taking this approach is a much faster, more accurate way of providing that risk quantification. What’s the maturity of the security controls, and what’s the potential for loss, based on insurance data? Then it comes up with a dollar figure.”

Once businesses understand how much cyber risk they have and where it is, they can make better decisions about how to insure against and mitigate those risks. “They can start turning dials to see how they can manage that risk while getting the most bang for their buck,” he says. “That’s wildly super powerful.”

RELATED: Get answers on a range of security topics that businesses confront today.

AI Is Forcing a Re-Evaluation of Data Protection and Governance

AI is changing the way businesses think about protecting their data. Cybersecurity professionals, for example, told (ISC)² in a recent survey that while they’re excited about how AI tools might help them work more efficiently, especially when it comes to automating repetitive tasks, more of them think the technology will be of greater benefit to criminals than to their business, according to Rosso.

Indeed, says Bell, “folks are interested in the benefits of AI but they’re also hyper-concerned that without appropriate data classification and data governance that they could expose sensitive data via a large language model.”

In an AI-powered world, organizations will have to be more diligent than ever about understanding how their data is being governed and secured and who is authorized to gain access to it. CDW’s Mastering Operational AI Transformation, which is an executive consulting engagement that helps organizations effectively introduce AI concepts across the enterprise, includes a security component that focuses on data governance and access control, Bell said.

Click the banner below to get real-time updates on all things tech.

Operational Tech Security Is an Emerging Source of Concern

Cybercriminals are focusing increasingly on critical-infrastructure facilities, such as water treatment and power plants, for good reason: The most attractive targets are those that can bring down the orderly functioning of an entire region. And such facilities may not be as well protected as most people would think; most of them run their OT, which controls physical machines within the facilities, on aging systems that weren’t designed for the internet era.

In January, FBI Director Christopher Wray told Congress that Chinese hackers are “positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”

Such a strike, if successful, could be devastating, Bell notes: “We know that the impacts of operational downtime in critical-infrastructure environments can far exceed the historical cost of, say, data exfiltration that we might have seen as a typical cyber risk. So, if Water Treatment Facility X or Gas Company Y cannot function for three, four, five days or longer, what’s the overall impact of that on them? The impacts of OT security are really only starting to be understood.”

One challenge that businesses must overcome is the traditional siloed nature of IT and OT teams, says Jeremiah Salzberg, chief security technologist at CDW. Not only have the two sides not communicated much in the past, he says, but also “culturally, they tend not to get along very well.”

Helping such businesses secure their OT requires a holistic approach, which CDW calls its 5D security model — for detection, definition, decision, deployment and defense — that, on the one hand, presents organizations with a comprehensive action plan for identifying vulnerabilities and deploying solutions and processes to address them and, on the other, encourages individuals to hold each other accountable, Salzberg says.

“It’s about getting to that place where you say, ‘Hey, what do we really have going on here, and how do we address these needs?’” Salzberg says.