Can You Prove It? A CISOs Guide to Answering Tough Questions about Cyber Risk Quantification Numbers

Generative AI
June 8, 2022

Most CISOs run into interference when having to explain or contextualize their cyber risk quantification numbers – especially to CFOs and business leaders. The number itself poses challenges in being able to defend its viability and calculation. For most business and finance leaders the number is so wide and isn’t contextualized to the business KPI and growth indicators that it inevitably raises the questions of, “So are you saying we go broke if this happens?”, or “What does this really mean?” both questions that are tough and difficult for a CISO to explain.

Cyber Risk Quantification with Business Context

At Alfahive, our approach is to elevate risk conversations above the tech stack level focusing on the business. Our cyber risk quantification (CRQ) platform turns complicated risk data into a language everyone in the business understands. We have a unique approach that is industry focused with a detailed archetype that includes a standard definition of common cyber risks. Research is the cornerstone of our expertise. We have deep knowledge of the cyber threats, business models and KPIs for each industry so it is much easier for business leaders to understand and relate to the loss magnitude numbers because they are not created in a vacuum and match the business operations.

Loss Magnitude Accuracy

Research is the first and most important part of creating credibility – that is why we cast our nets wide and deep researching scenarios for each Retail business function, for example online only, brick and mortar, omnichannel. We layer in the type of products or goods sold and the region of sales. Each one of these has unique business processes mapped to specific applications and data, and carries a specific type of cyber risk. For example – an online retailer with a Hype Sales campaigns is more exposed to BOT abuse. A grocery retailer is more exposed to merchandising supply chain third party risks and a consumer product goods (CPG) company is more exposed to IoT manufacturing cyber risk, whereas and a healthcare retailer is more prone to a PII Data Breach.

An Outside-In Approach to Cyber Risk Scenarios

Research credibility comes down to minute details that are specific to the industry, business domain, region, peers, affiliations and outliers. Alfahive takes an “outside in” approach to cyber risk scenarios and saves customers valuable time and effort by doing the deep and wide research to pre-curated scenarios unique to your business so that you can feel confident when you need to validate the numbers with your CFO or leadership team.

Cyber Risk Research based on KPIs

The next part is the question on how does this pre-curated business context and cyber risk research add more clarity to the quantification and the loss magnitude? A real-life example of what makes Alfahive’s approach to CRQ different and more realistic is bringing in the context of the specific business function. For a retailer that has both stores and an online channel, we gather information based on business KPI’s – traffic, conversion, average order/transaction value (AOV), and look at the same risk scenario – i.e., Ransomware, and the impact it would have on individual KPI, for the specific business function. The impact on conversion and AOV in a store during a ransomware attack is vastly different to the loss that an online channel would incur on Black Friday. Response time and actions are also remarkably different – especially when you consider recovery costs for stores and online and how customers and supply chain are impacted for each risk scenario.

Taking all of these dimensions into account for CRQ is what lends credibility to the quantification and enables Security and Compliance leaders to explain and defend the results. The biggest advantage is that all stakeholders – business, finance and security leaders are reading off the same play book.

Numbers the Board Can Trust

We have created a detailed business process map and domain model for each of the industry types and mapped it to the common cyber risks. This provides you with two advantages – 80% of the cyber risks are already curated and mapped to business processes leading to a 10X faster time to value on your risk quantification journey, and secondly, our loss magnitude quantification algorithm is far more trustworthy to business leaders and board members because they can track the dollars to the business impact in an easy to explain manner.