Cyber risk is synonymous with business risk, and in the contemporary landscape, this assertion hardly raises any eyebrows. However, what does this seemingly straightforward statement entail for an organization? More crucially, how can an organization quantify and effectively control cyber risk within the context of overall business risk?
Business risk is defined as, “the exposure a company or organization has to factor(s) that will lower its profits or lead it to fail”[1]. Seemingly daily headlines of data breaches and system intrusions affecting operations and incurring increasing fines undeniably highlight that cyber risk squarely fits this description. But the question remains: how can we value this exposure?
Within cybersecurity, business risk is often defined as the cost of loss – the loss of data, diminished productivity, and other costs incurred as a result of an incident. Some organizations go to great lengths and expense to evaluate and gauge potential losses, estimating each potential cost. However, as the earlier definition suggests, business risk isn't fundamentally defined by losses; it's defined by profits.
In the realm of business, profit is distilled down to a simple equation:
Revenue – Cost = Profit.
Now, how do we reconcile the loss of data, productivity setbacks, and other current attempts to understand cyber business risk with this equation? The first step involves categorizing potential losses more effectively. Certain losses impact revenue, while others impact costs. For instance, productivity setbacks directly affect revenue, while regulatory fines and legal expenses impact costs. The second step is to also understand that implemented controls designed to reduce risk can also impair productivity (hindering revenue) or require undue additional effort (increasing indirect costs). For what appears to be a simple equation, the underlying math is anything but.
The intent of estimating the impact of business risk is to understand potential impact on profit – the delta between revenue and cost. Mature organizations have a meticulously devised plan in place, encapsulating projected revenue, costs, and profit. Known as a forecast, these estimations serve as guiding principles for day-to-day operations and provide market insights into the organization's anticipated trajectory. Business risk fundamentally becomes a valuation of the potential impact on the forecast.
To manage cyber risk as an integral facet of business risk, organizations need a quantitative grasp of how cyber incidents might affect both sides of the equation. Given its role affecting both revenue and costs, deeming cybersecurity solely as a cost center limits this perspective. Adjusting awareness to understand both the revenue and cost impact of cyber risk empowers the security team not only to address the deficiencies in their current cyber posture but also to focus on what truly matters to the enterprise.
At Pellonium, the treatment of cyber risk as business risk represents just one of the several components that enable an organization to execute a Cyber Enterprise Risk Management (CERM) strategy. It provides a feasible path to maturing the security program by ensuring cyber risk decisions consistently align with the business strategy and the overall risk posture of the organization. Cyber risk is regarded as business risk when it seamlessly integrates with all other enterprise risks confronting the organization. (For more on our definition of CERM, please see this blog post.)
Pellonium can help you manage cyber risk as business risk as you seek to attain CERM. Contact us to learn how.