A key aspect of the job for security leaders at retailers is to present cyber risk threats to boards and top executives in terms they understand.
"Boards of directors know how to speak dollars and cents and they know how to speak risk, but they don't know how to speak threats and vulnerabilities," said Steven Grossman, vice president of strategy and enablement for Bay Dynamics.
The San Francisco-based cyber risk analytics company is launching Application Value at Risk, or V@R, a new feature of its Risk Fabric platform that ties a dollar amount to remediation actions or non-actions.
The Risk Fabric platform has been available for four years, pulling together threat, vulnerability and business context to help clients assess their actions. But for the first time, V@R brings real dollar amounts into boardroom discussions.
"This creates a very common language to be able to communicate to boards in telling what security teams do, how they are doing it, and the performance value of what they are doing," Grossman said.
It is not an easy task to determine cyber risks and mitigation costs because each company has a different environment, Grossman said. Bay Dynamics has its Risk Fabric platform set up to keep data current in an integrated model that gauges the company's impact of using an application.
The goal of V@R is to calculate the impact of breached applications and express it to company executives, while also recommending actions to remedy any problems. "It leads us to be able to prescribe specific actions, noting that to take these actions today will give you the biggest bang for your buck by reducing your financial cyber risk," Grossman added.
Risk-based approaches are not new to payments networks, Grossman said. "The PCI [Payment Card Industry] standards take you part of the way to the risk-based approach," he added. "It means you understand the value of your assets and how they intersect with threats or vulnerabilities."
However,
"In that manner, a framework is set up that can be defined with financial numbers," Grossman added. "In every industry, everyone is overwhelmed with the massive challenge of managing their cyber risk, and this is telling them where to start."
Not many other companies serving retailers or payments providers are offering this type of financial translation, but it makes sense to seek a common ground between security personnel and company decision makers, said Al Pascual, research director and head of fraud and security for Javelin Strategy & Research.
"Trying to engage with your risk committee and get to them to understand the types of risk they are dealing with and what needs to be done about it requires some sort of common ground," Pascual said. "It is very important, and what is more common than dollars and cents?"
Even security leaders who have been at companies a long time and may be used to dealing with company executives still may not be completely comfortable talking about costs, Pascual added. "This gives you the tools you need to do it with metrics that can be very helpful."
Bay Dynamics' work drew the attention of Chicago-based auditing and advisory network Grant Thornton LLP, which was working on a similar approach to deliver an exposure factor to clients. The two companies decided to become partners in developing V@R.
"People are now realizing that more emphasis has to be on how to make better decisions with the investments they are making," said Jeff Recor, risk advisory services principal at Grant Thornton. "To do that, they have to understand the value of what they are trying to protect."
As far back as 30 to 40 years ago, security companies determined annual loss expectancy or a single loss expectancy on the simple formula of citing the value of data or the system on which the data was stored, Recor said. "That was more a physical metric than a point-in-time metric," he added.
Bay Dynamics is trying to educate companies that pouring money into "something you can't prevent 100%, is madness," Recor said. They realize many businesses are growing weary of the habit of being hacked, paying to fix it, and then being hacked again.
It is far better, Recor added, to get help in establishing a risk posture that helps determine what truly needs to be addressed right away and what can wait — based on established values and translated to dollars and cents.
Under that process, the same security value assessment used to protect the vulnerabilities to cyber attacks would also transfer to all of the tools in the governance, risk and compliance ledgers of the company, Recor said. "That is the real value of what Bay Dynamics is trying to do," he added.
Ultimately, if enterprises can quantify the financial impact of cyber risk through the calculation of actual dollar amounts tied to each asset that houses sensitive payment data, it makes it far easier to prioritize remedial work in first reducing the problems with the most financial impact, Bay's Grossman said.
