Understanding Risk Assessment for InfoSec Budgeting

Establishing common ground with the C-Suite and the Board is key to securing adequate funding for IT security investments.

Easier said than done, right? Securing that executive buy-in is often the greatest hurdle facing InfoSec leaders. To lower that barrier, the language of risk (rather than security) is an effective, although underused tactic.

With a sound risk assessment methodology in place, the CISO can illustrate the risk to the business with precision using the language of fiduciary responsibility in order to secure executive buy-in for investments to mitigate the risk of IT security events leading to expensive outcomes.

Experts Weigh in on Risk Assessment Strategies to Get Budget

In March 2018, Mike Hamilton, CISO of Critical Informatics, moderated a panel discussion in downtown Seattle reinforcing a practical methodology to establish common ground and build a case for the most important IT Security investments organizations are facing today.

Reiterating the framework introduced in his white paper, InfoSec Risk Management: a Primer to Assessing Technical Risk, Mike led the discussion about the fundamentals of how to assess and communicate IT security risk to the business, with the objective of creating a value proposition for funding IT security.

Comprised of regional Information Security leaders in legal, actuarial consulting, health insurance, and education, the panel explored the process and practicality of applying this methodology to address high-value elements to address in the security program.

Watch the full featured event below.

Understanding Risk Assessment for InfoSec Budgeting

Traditional Budget Planning Is Evolving

Most companies are still funding information security using a traditional line-item budget-based approach.  If a data breach occurs, cyber insurance is slated as the back-up.

While cyber insurance has its place in the overall security program, it is inadequate to fully protect the company from potential financial losses due to cyber disruption of operational continuity (although this seems to be changing).

There's a lot of evidence out there of how much this actually costs in to scope disclosure, and I can tell you that's just the tip of the iceberg.
That's all money that has to come from somewhere.
– Sean Murphy, Vice President, CISO, Premera Blue Cross

Putting all one’s eggs in the cyber insurance basket is also an inappropriate way to mitigate critical gaps in technology, processes, and procedures, and the underwriters are increasing control requirements.

Cyber insurance is slowly asking for more and more control validation.
– Matt Morton, Systems Architect, Seattle Public Schools

Rest assured your premiums will change depending on how many incidents you have over a given year, and you have to renegotiate every year.
– Sean Murphy, Vice President, CISO, Premera Blue Cross

Risk transference works best when the entire security program is risk-based – again, back to the lexicon of managing financial liability, rather than that of cyber-spookery. When IT security risk management is programmatically aligned with the NIST Cybersecurity Framework (or similar standard of practice), communication barriers are lowered, insurance premiums are lower, as is the likelihood of a claim being denied.

Using Risk Assessment to Demonstrate Need for Budget

The first step to proper risk assessment is to select a methodology that applies to the business. When in place, IT leaders can begin to speak the language of the C-Suite and the Board.

I literally have a matrix that I use in front of the board that has an X and Y axis that go to what kind of controls we have in place based on the threat, if it’s high, if we have good controls or we don’t, and measure it against to how likely the threat actor is to accomplish it. It boils down to the things that I worry about - the threats that keep me up at night - like malware, drive-by scanning, ransomware attacks, insider threats, third party events, are all outlined, which can then be expanded or contrasted based on how that threat is accelerating in the environment.
– Sean Murphy, Vice President, CISO, Premera Blue Cross

We’ve said before that preventive controls affect the LIKELIHOOD of a security event, and detection and response affect the IMPACT of that event. If the a compromise is detected and eradicated in minutes, the impact of a security event is limited to a malware cleanup. If the compromise goes undetected for weeks or months, that impact may exceed the “crisis cost” and begin to affect customer churn and brand damage.

Within any industry you have a normal turnover of customers. In health care, there's a normal churn of patients that used to use the facility and now they don't. When you've had a data incident, a very public disclosure causes an additional impact that you weren't counting on, because they don't use you anymore, and now they don't trust you, and you have to earn that back.
– Sean Murphy, Vice President, CISO, Premera Blue Cross

Using these 5 questions, the CISO can begin to have an executive conversation regarding lowering the financial impact of security events, given the admission that small security events are a fact of life – but they don’t have to become disasters.

Presenting to the C-Suite and the Board

That said, the term ‘risk’ can have different meanings for different executives; therefore, it’s important to establish a consensus-driven framework where everyone has a shared set of terminology.  When in place, leaders can predict outcomes with some level of specificity to facilitate and expedite budget approvals. Download our NIST CSF risk worksheet to help you get started.

Getting in front of the business is important. If you walk in and talk about buffer overflow, that's gonna be the last time you go meet with the leadership team. If you go in and talk about risk and impact to the business, they will want to hear from you more. Reporting at the level that they can understand and they're going to relate will keep your seat at the table.
– Vern Cole, Security Architect, Perkins Coie

InfoSec leaders have an uphill battle when it comes to securing the budget they need – risk assessment can provide a solid pathway to overcome barriers in the budgeting process.

In terms of measuring outcomes and costs, in healthcare, we would first be talking very seriously about if this event that can happen, this is how it can affect patient safety.
– Sean Murphy, Vice President, CISO, Premera Blue Cross

Leveraging risk assessment will help establish common ground, raise the sense of urgency, and get mission-critical budget requests approved by the C-Suite and the Board.

Five years ago in healthcare, we comforted by thinking that it was insider threat all the time; it's a lost laptop, it's somebody inadvertently sending off an email with 500 or more patient records in it. It's still a majority threat today, but it has pivoted towards the nation states, cyber criminals, and hacktivists that see healthcare as a fair game target for the adversary.
– Sean Murphy, Vice President, CISO, Premera Blue Cross

Outcome Avoidance as a Budget Tool

An excellent way to characterize risk to the business is through avoidance of outcomes due to IT security events. Records disclosure, theft or extortion, or disruption of services critical to the organizations mission and business are three easily-understood and fairly comprehensive outcomes, each of which can be characterized in dollar amounts of liability.

Records, according to studies and surveys by the Poneman Institute, cost about $150 each in recovery costs. Theft through CEO impersonation, extortion, etc. can be parameterized by the average amounts typically transferred using ACH or wire, and empirical data from victims of these crimes. Disruption of key services may cause additional overtime spending and repair, and these costs have been reported publicly by organizations such as the UK National Health System, Merck, the Nuance medical transcription company, and others.

To be clear, identification of risk is followed by assignment of a disposition:

  • Accept – Assume the liability and hope for the best
  • Avoid – Remove the condition creating the risk
  • Mitigate through controls – Add preventive controls to reduce likelihood, detection and response to reduce potential impact
  • Transfer through insurance

After estimating the impact (expressed in dollars) of an unwanted outcome, the choice of which disposition to assign and which corrective actions to take become clear as business-driven requests for resources. If there is $20M in potential liability from possession of 100K unsecured records, a request of $150K for encryption tools, additional monitoring, or insurance makes complete business sense, and cements the CISO as an advocate of the business.

 

For more information on risk assessment and how to address gaps in your security program, contact one of our expert security consultants today.

Michael K Hamilton

Michael K Hamilton CISSP

The CISO