Cybersecurity in 2023: Principle 4 — Meaningful Metrics and Reports

This blog post is our 4th post in our 5 Principles Blog series. 

We've come up with a new way to make security for organizations easier and more efficient. We've based it on five key concepts we developed during the process. Our goal is to make security management effortless and even enjoyable. With our careful planning, we've created a system that not only provides better security but also simplifies the management.

Free Ebook That Unpacks All This & More 

Get the 40+ page ebook and learn the 5 principles that will streamline and simplify your cybersecurity management

Let us take a look at the fourth principle in this series: Meaningful Metrics & Reports 

The Problem

I've already touched on the importance of good communication between those responsible for cybersecurity and an organization's decision-makers in previous principles.

If the executive management team is to create a culture and organizational structure that helps eradicate risk, they must understand such things as mitigation plans, internal controls, critical processes, and the implications of every security action.

This means that as a CISO or vCISO, you need to be able to communicate your understanding of risk and compliance to the Board of Directors in their own language, using business and financial terms that help them make informed decisions.

Unfortunately, all too often there's a misalignment of language that leads to anything but understanding. Let's take something like risk as an example.

When cybersecurity professionals report to the Board they often talk about the risk status of potential threats and events, categorizing them as high, medium or low risk.

A high-priority risk might be something like a zero-day or ransomware attack that would immediately hit the business. A low-risk item on the other hand may be neither likely nor particularly threatening. Such as credential stuffing on an offline CA server. While an ex-employee walking out with a thumb drive containing a database of your clients would be a medium risk that would fall in between. All this sounds sensible and logical on the face of it until you ask what these labels actually mean to a business in terms of their cost to an organization if they actually occurred.

So, while we assume an item labeled 'high risk' is more 'dangerous' than something 'low risk', how much and in what way is it riskier?

It's this kind of question business leaders need answering. Unfortunately, that rarely happens which means they aren't equipped with the information required to make the best and most rational decisions possible.

The Solution

Of course, trying to predict uncertain outcomes in the future is difficult but that doesn't mean we shouldn't stick with simple ordinal scales that have no underlying meaning.

For instance, if we use actual industry probabilities from real-life data breaches and then run the numbers through a Monte Carlo analysis, you can get a reasonably clear picture of what might happen. And that can be conveyed in a way that is more easily understood and appreciated by directors who may not be that technically minded.

It's only by taking real numbers and putting them in a business context we can help business leaders understand cybersecurity spending in terms of what will give them the best return on investment and how much risk they are willing to stand.

Free Ebook That Unpacks All This & More

Get the 40+ page ebook and learn the 5 principles that will streamline and simplify your cybersecurity management

If we can start to talk more from the perspective of business rather than technology, we can get to a point where we are saying to the Board: "if you spend $10,000 here, we can reduce the risk attached to this system from $200,000 down to just $20,000", then we are getting somewhere.

This is the language that business leaders want to hear and cybersecurity professionals need to speak.

At Rivial we are constantly stress-testing our thinking and innovating because we believe this is the way to ensure our CISO clients and MSP partners get the best value from us.

It has helped us develop the advanced security techniques central to our Cybersecurity Risk Assessment solution that streamlines the process of collecting risk information and improve the risk assessment results in ways that significantly reduce the effort required by our platform users.
These efficiencies also fold perfectly into three tenets of meaningful measures and reports: loss tolerance, cyber risk quantification, and business-friendly reports.

By using the Rivial Platform, organizations have a means to define, in specific financial terms, a loss tolerance curve. Individual information systems that have been risk assessed, can be compared to the loss tolerance curve. The direct financial comparison provides an easy-to-understand visual of each system being below (good) or above (bad) the loss tolerance curve, making risk management decisions easier.

Organizations can customize their loss tolerance curve to meet a specific risk appetite and then 'financially describe' inherent and residual risk in a way that enables the executive management team to make better decisions based on specific, measurable financial KPIs and metrics. The financial risk measures are produced by advanced statistical analysis.

This process is embedded within the Rivial Platform, making ongoing cyber risk quantification much easier and more streamlined. The risk assessment results and all other functions in the platform that make up the cybersecurity program are neatly packaged in an executive-level report.

In conclusion, as we wrap up this fourth installment in our 5 Principles Blog series, we've shed light on a critical problem faced by cybersecurity professionals today: the language barrier between technical experts and business leaders. Bridging this gap is essential for organizations to effectively manage risk and make informed decisions. Learn more about how Rivial’s platform can help you accomplish this here. 

Free Ebook That Unpacks All This & More 

Get the 40+ page ebook and learn the 5 principles that will streamline and simplify your cybersecurity management