As a CISO, one of my primary responsibilities is staying on top of the latest threats, vulnerabilities, and risks that could potentially affect my organization.
I recently read Andy Greenberg’s article in Wired Magazine, “The Untold Story of NotPetya, the Most Devastating Cyber Attack in History” (https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/). The article describes how a cyber weapon, used by the Russians to attack Ukraine, cost millions in collateral damage worldwide. The NotPetya malware spread from the servers of a Ukrainian tax software firm to other organizations, paralyzing the operations of some of the largest companies in the world. For many of these businesses, it took weeks and months to recover. These types of losses translate in real dollars to affected companies and their shareholders. In the case of NotPetya, several big-name companies learned the hard way that cyber risk is a business risk.
One of the tools available for organizations to manage cyber risk as business risk is something called FAIR, or Factor Analysis of Information Risk. FAIR provides a model and framework for understanding, monitoring, and measuring cyber risk in financial terms.
Why does quantifying cyber risk in financial terms matter?
In many organizations, cyber risk is considered a black box. It isn’t easily understood, and typically it’s communicated by sowing FUD, or Fear, Uncertainty, and Doubt across the organization. FAIR allows you, the practitioner, to break down cyber risk, and all that techno-mumbo-jumbo, and translate it into dollars and cents. It’s a framework your business partners will understand and value.
At Fannie Mae, FAIR helps my team understand cyber risks better and differently. For any practitioner, it provides a way to recognize the vulnerabilities in your business processes and technology infrastructure, as well as identify the controls and countermeasures in place to strengthen your assets. You will get to know your business better by understanding how your company makes money. And finally, you’ll learn the types of losses and costs, such as lost revenue or response/recovery costs, that your organization will incur for significant cyber incidents.
"Cyber risk is a business risk, and it should be communicated within your organization in terms of dollars and cents"
By understanding your organization’s cyber risk in financial terms, you can make better investment decisions regarding the right mechanisms to protect your organization from cyber incidents. If your organization’s biggest losses might come from ransomware or destructive malware attacks, then you can prioritize investments to segment your network and patch the most critical vulnerabilities. If you find that your organization’s biggest loss could be a data breach, then you might focus your cybersecurity priorities on data encryption, anti-phishing, and anti-malware solutions.
Whether it’s attacks like those mentioned in the Wired article or a significant data breach, cyber risk is a business risk, and it should be communicated within your organization in terms of dollars and cents. FAIR gives you the tools and techniques you need to manage, monitor, and measure it.