There is a language barrier in cybersecurity that is preventing a fundamental shift in how businesses address cyber risk and improve their cyber resilience. This barrier exists because we (as in the cybersecurity ecosystem) continue to discuss cyber risk in a language that is not familiar with business leaders.
The language of business leaders is rooted in accounting, finance, and marketing. It includes terms like revenue, return on investment, margin, capital, and more. This language helps business leaders understand the health of their business and serves as an answer key for making decisions. Words that are outside of their language are confusing, misleading, or undecipherable.
To remove this barrier and encourage a fundamental shift in how businesses address cyber risk, we (as in the cybersecurity ecosystem) must speak the language of business leaders.
Vocabulary (noun)
1. : in general terms, vocabulary is a set of familiar words within a person’s language.
2. : as related to traditional cybersecurity, a body of words used to form the cybersecurity language, such as authentication, data breach, denial of service attack, domain, encryption, exploit, and firewall.
3. : as related to a new vocabulary for discussing cybersecurity, a simple translation of the traditional cybersecurity vocabulary to a set of familiar words for business leaders.
Moving from maturity scores to financial insights
By default, maturity is a good thing because it describes a business’s ability to respond to various situations.
With best intentions, a cyber maturity score attempts to describe a business’s cyber wisdom and how the business choses to respond to various cyber situations. It does this by measuring individual cyber-related controls, within a cybersecurity framework (such as NIST CSF), using a 0 to 5 maturity scale. In this scale, 0 represents no capability, while 5 represents an optimized capability. The average score, amongst all controls within the cybersecurity framework, define the business’s maturity level.
Seems like a good approach, but here is the problem. The cyber maturity score does not tell the business:
the magnitude of their cyber risk problem,
where and how risk transfer provides liability protection,
which inflight or future cybersecurity projects offer the best return on investment,
and much more.
To get answers to the above list (and much more), businesses need to move beyond cyber maturity scores to financial sights. The cyber maturity scores could help to inform a set of determined financial insights, but they are not the complete picture. Financial insights, related to cybersecurity, reduce the chance of a business making misinformed decisions because they don’t assume that:
high maturity is equal to an insignificant cyber risk problem,
all controls (within a framework) are equal in risk reducing ability,
risk transfer mechanisms offer equal liability protections amongst different perils,
and much more.
Highlighting financial exposures, not technical vulnerabilities
For decades, business leaders have been receiving cybersecurity reports that contain details about an endless emerging threat condition, increasing technical weaknesses, and worst-case stories that frankly no business leaders want to happen under their watch. These reports don’t provide comfort or options, they provide fear.
Yes, we are an interconnected world where cyber incidents are a guaranteed reality for all businesses. Yes, there are some really damaging cyber incidents. Yes, systemic risk is always a possibility.
However, the cyber risk problem is not the same for all businesses, which is difficult to understand from technical reporting. When cybersecurity leaders express cyber risk as a financial metric, the business leaders can understand the magnitude of the cyber risk problem in context will other operational risks.
With this understanding, business leaders can determine which cyber risks to accept, mitigate, and transfer as part their cyber resilience strategy.
Comments