One of the world’s largest communication technology giants was justifiably concerned about potential security breaches. The company, which has tens of millions of customers and thousands of network points, records a whopping one billion plus threats per day. So, how do they determine which of these risks need the most attention and investment? By quantifying them in terms of dollar impact.
As cybersecurity evolved into a top 3 business risk, boards and leadership teams wanted more insights than what a traditional risk heat map provided: “What is the financial impact of a potential data breach?” “How much is the cost of remediating the risk vs accepting it?” “Are our cybersecurity investments proportionate to our risk exposure?”
The only way to answer these questions was to quantify the company’s cyber risks in monetary terms. So, the board and leadership team challenged the CISO to come up with a single risk score for each cyber risk, represented in terms of dollar impact. That’s when the CISO turned to MetricStream for a solution. Today, MetricStream Cyber Risk Quantification is helping the company transform cyber risk data into a single risk score that’s quantified in terms of dollar impact. These actionable insights have accelerated decision-making time by 50%. Cyber teams are better able to prioritize investments, while boards and leadership teams are able to provide stronger oversight of cybersecurity.
This single cyber risk score is both credible and real-time, and the cyber risk taxonomy is mapped on the relationships between cyber risks, assets, business lines, covering the 100+ systems monitoring the security posture.
By leveraging MetricStream’s risk quanti cation engine with its proprietary algorithm to compute the dollar impact of each cyber risk based on the FAIR methodology. The result is a targeted understanding of which cyber risks are most important and need the most attention. With the in-built API framework automatically integrates cyber risk, threat, and vulnerability data from 100+ systems inside and outside the company to calculate risk exposure in financial terms.
MetricStream has helped the company harmonize its risk management techniques and methods by driving towards a common risk score across cyber, operational risk, and resilience teams. This score is based on consistent factors, and is grounded in a business context.
This combined risk score helps cyber teams accurately weigh the cost-benefit of either a single risk mitigation strategy or a combination of them. It also helps them increase the agility and speed of remediation efforts. MetricStream also provides a top-down and bottom-up 360-degree view of cyber risk.
Top-down views take risk assessment information from the business in terms of dollars—for example, how much it costs to keep an order processing system up and running. Meanwhile, bottom-up views provide data on the costs of mitigating vulnerabilities.
• Insufficient insights on the financial impact of cyber risks for the board and leadership team
• Variations in risk scoring taxonomies across the business
• Lack of a 360-degree view of cyber risks across internal and external systems
• Improved efficiency through a centralized approach to cybersecurity risk and compliance management
• Enhanced visibility into IT compliance risks
• Fostered a strong culture of cyber risk awareness and accountability across the enterprise
Decision-makers now have dynamic insights on the monetary impact of each cyber risk weighed against the cost of remediation. This helps them prioritize cybersecurity investments to ensure maximum bang for their buck. For example, if they can conclude that the impact of a potential breach is, say, $10 million, while the cost to fix it is $5 million, then they can decide to invest in remediation. But if they know that the remediation would cost $20 million—double that of the breach itself—they may decide to accept the risk, or transfer part of it through insurance.
By synchronizing business and technology perspectives in a single risk score, MetricStream has enabled the company to align their cyber investments and risk mitigation actions with business priorities. The risk quantification methodology is a self-tuning and business-harmonized model that can adjust factors as they change.
The focus is on measurement: standardized, normalized, and calibrated against business benefit. Today, the company is thinking of expanding their risk quantification methods to other areas of operational risk management, financial risk management, and SOX compliance. The more quantified their risks, the more effectively the CISO and other risk officers can communicate with the board and leadership team.