There’s something wrong with the way we practice cybersecurity today. We’re spending more and more money on mitigating cyber risk, but data breaches only increase in frequency and cost.
If you’re an executive worried about data security, then you’re doing your job. But your fear – though entirely understandable – may lead you to waste money on overbuilt cybersecurity solutions that provide limited risk reduction but create needless inefficiencies in your company.
Fear drives traditional cyber risk management. CFOs and CEOs may not be able to describe how hackers executed the latest headline-grabbing breach, but they know they don’t want to be the next company grabbing those headlines. Lacking in-depth knowledge of cybersecurity, these executives open their wallets for vendors and security experts who can play to their fear to get arbitrary, often oversized budgets.
And if these companies decide to trim their cybersecurity budgets, who decides how and where those cuts take effect? In too many cases, executives do not cut their cybersecurity budgets because they see opportunities for leaner, smarter protection of their data, but because they’re afraid they’re paying too much. The traditional, fear-based approach to cybersecurity spending can end up harming a company’s defenses if the wrong corners are cut.
Business leaders need to take fear out of the equation. A new data analytics-driven approach to cyber risk assessment and management can do just that.
This approach, called cyber risk economics, quantifies every aspect of a company’s cyber risk in monetary terms. It looks at the probable frequency that a threat action will result in loss, such as a security breach, and the probable magnitude of this loss which may include not only a lost productivity and cost to replace information assets but many other fees and penalties. Cyber risk economics can quantify these once-intangible factors because of the increased availability of security data and maturity of data analytics in recent years. A mix of custom, client-specific data and public information can be interpreted through risk models leveraging probability science, machine learning, artificial intelligence, and big data to arrive at a dollars-and-cents cost.
What’s more, this approach to risk management is granular enough to evaluate specific kinds of sensitive data against threat probabilities to determine what areas of a business need the most protection. For example, many companies encrypt too much of their data! Not all data is equally sensitive, but these firms apply broad-strokes cybersecurity solutions that create additional costs, both from implementing the technology solution and the friction it creates as the security measures introduce incremental changes that slow down the business.
In short, cyber risk economics tells business leaders how much their data is really worth, highlights what data needs the most protection, and levels the playing field between leaders and security experts by giving these answers in terms of money. When leaders can make cyber risk decisions based on money, instead of fear, they will spend wisely.
Cyber risk economics lets leaders understand the cost benefit of using layered security solutions. Many businesses end up with two or three tools doing the same or similar job in terms of risk reduction. With cyber risk economics, leaders can ask: are these layers of redundancy deployed in a way that makes sense? Or is this a case of an engineer bringing in a new tool for its own sake?
Not every company has untold millions to throw at cyber defenses. But more and more companies find they are custodians of sensitive data that, if not protected, could hurt them and their customers in the event of a breach. When the stakes are so high and every dollar counts in your budget, cyber risk economics can reveal the true value of data assets and exactly how much they should be fortified to mitigate risk.