In this time of digitalization, with more employees, suppliers and third parties opting for virtual meetings and transactions – IT, security and cyber teams have become hyper-vigilant about the protection of sensitive and regulated information. It’s a challenge. In our previous posts on Risk Quantification, and how COVID-19 Has Changed The We Do Risk– Forever, we focused, in part, on how to take a 360-degree view to prioritize cyber investments based on can operating risk score worked out with the business. The score is based on multiple factors, in the context of business processes, current events and likely future events, network use and user behaviors with characteristics of data. Very timely given our current New Normal.
This blog post doubles down on how to do this using the concept of a Digital Impact Chain with the business to quickly converge on what’s important based on business impact and uses that knowledge to prioritize investments.
What is the Digital Impact Chain?
First of all, it’s simple. It’s easy to use with your business sponsor or process owner. Secondly, it keeps you both focused on what matters. It makes sure you’re aligned with the real impact, in dollar terms, to the business, of a threat that is so technical or complex, it is (often) too difficult to try to explain. And thirdly, it’s required in order to get a good risk quantification score.
While these simple impact equations are something that that security teams well know are required, many have had difficulty connecting the dots with business due to technology complexity, language and urgency. If teams could connect these dots and keep them current and relevant with the business, investments in security and cyber team size, incident response processes and technologies, and other playbooks, would be proportional to the potential impact of a failure to the business. As we know, that’s not always the case, especially in a crisis.
Why Use the Digital Impact Chain?
Let’s use an example to show how this simple tool can be highly helpful. Take a telecom company where payments are accepted to provision devices such as cell phones to pay a monthly bill on their main website. With COVID-19, and growing digitization, the number of firms and individuals using this service grows significantly. Improvements may be introduced rapidly in response to growing demand and the need to stay competitive. Change increases the likelihood that something may break, and more complexity increases the attack surface. The security team may know that more investment in tools – anomaly detection or other forms of monitoring – may be required to strengthen controls and block threats. The timing and deployment of security investments may be delayed while improvements are rolled out, with increased risk. Why? Because it’s too difficult to quantify the risk in terms of dollars, supported by a score that compares to other investments.
So, to get at the heart of the matter, security analysts must ask a simple question: What is the dollar daily impact of not being able receive payments on this site? They know it is significant but don’t know the magnitude nor necessarily have examples of previous incidents and corresponding dollar impacts or losses. By having your business sponsor and the security analyst use the Digital Impact Chain as part of their collaborative analysis – updated when changes are being designed and rolled out – teams can work proactively to prioritize investments. Security analysts strive to keep those impact equations nailed down and current with the business.
Summary and Call to Action
To re-iterate, it’s absolutely critical to have a simple straightforward depiction like the Digital Impact Chain that you can share with business sponsors to agree on what really matters.
Remember, we use this tool so that we can prioritize cyber actions – whether it is something as granular as an unpatched vulnerability, or weak access control – in terms of the assets and processes that have the largest business impact, in dollar terms.
Being able to do this in a clear and sustainable manner is critical, especially when reacting during a crisis. Having this kind of simple diagram can be foundational when prioritizing with your business stakeholders.
Over the coming weeks, we will explore more best practices and how security and cyber teams are adapting to COVID-19, beyond how risk quantification methods tie to the digital asset/impact chain (this post) to Moving from Risk to Resilience, and Orchestrating Risk across IT, cyber, op risk, incident and crisis response, and other disciplines. Stay tuned!