For information leaders today, there is increasing interest from non-technical parties - from the legal team to the Board - in the ongoing question “are we secure”. The challenge is that any technical leader knows that it is not a binary answer, especially in today's business climate. The fundamental issue that information leaders must overcome is the understanding that in order for the enterprise to live on, their role must evolve. We’ve examined before the rise of risk quantification in other domains, from insurance to ship trading. However, the challenge facing the modern CISO and CIO is quantifying risks that have yet to be measured - digital risks.
As we’ve examined, the role of information leader has evolved rapidly over the last decade. Technological innovations and the resulting impact on people and process within an organization have driven organizations to rely more and more on the data collected by their information teams. Gartner states that By 2022, 90% of corporate strategies will explicitly mention data as a critical enterprise asset and analytics as an essential competency. The main insight being, that information leaders must begin to see themselves as asset managers in the same way that the CFO and COO do - data has become the new currency. As a result, information leaders are being held to the same standards as their peers in regards to reporting on their progress and operations. In order to effectively communicate to the Board and CEO, information leaders must be able to speak the same language as their counterparts - the language of risk.
Three buckets of risk
Business leaders are conditioned to measure risk and make decisions from that data. The main forms of risk that leaders face fall into three categories:
- Financial risk: The risk of financial loss or gain as a result of a given investment
- Operational risk: The risks associated with failure in people, process, and systems.
- Strategic risk: The risks most relevant to the executive team, strategic risk is the impact that decision making has on the organization.
To date, these forms of risk have represented all facets of a business - the people and process to deliver value, the strategy guiding where the organization is going, and the cash to fund it all. We are now in a new era of business, though, with a new category to account for - the adoption of cloud technology, the permeation of artificial intelligence, and the ever-increasing reliance on data has created a new need to measure these digital risks in the same context as the original three.
Is digital risk a fourth bucket?
The challenge for even seasoned actuaries is the recognition that digital risks are not confined to one aspect of the organization anymore - marketing teams are using customer and market data to design custom campaigns, operations teams are implementing internet of things technology, and AI is guiding strategy decisions at breakneck speed. Which begins to beg the question - is digital risk its own bucket? Or, rather, does it need to be measured as a lateral aspect of the entire enterprise?
During our conversation with Raphael Yahalom, MIT researcher and CyberSaint advisor, he falls into the second camp. Quantifying digital risk is not as simple because we don’t have the data yet to project in the same way that we have with other forms of risk. Further, digital risk integrates forms of risk that have been left nebulous to date - reputational risk, for example: a glance at headlines in 2018 (and even with the TurboTax breach in recent weeks) will show the catastrophic damage that a cyber event such as a data breach can have on an organization’s reputation and even their bottom line.
New risk, new approach
The frameworks that exist today, NIST 800-30 and FAIR among them, are the foundation that the future of cyber risk quantification will be built on. These frameworks are the first step, allowing information leaders to communicate in the same fashion as their business-side counterparts, that will bridge the gap between technical and non-technical.
Digital risk itself represents a new configuration of impacts to the business and, as a result, demands new methodologies to assess those risks. However, digital risk must be conveyed in the same fashion as the other three categories to be successfully understood by other members of the executive suite.