Remember when Sony Pictures Entertainment got hacked in November 2014? Remember holding your face in your hands when you learned that the breach had been going on for months without being detected? It’s a perfect example of, when companies are totally relying on their internal team’s “happy power points” or as I call it, the “All OK” status reports, to manage their security posture!

This could be your company!

Washington tech companies are some of the top in the industry, holding an estimated market value of $600 billion. And with our industry supporting more than 240K in-state employees, there’s a lot at stake, should a major security breach happen.

So here’s the question:

Do you fully understand how a security breach could impact your company? Are you months, weeks, or maybe days away from brand ruin? A breach can trigger an unexpected, time-consuming and costly recovery period, loss of customers, flight of business partners and investors including litigation or restrictions on how you do business!

Your company’s cyber-security is a business imperative, not only a technological one, and prioritizing security remediation without quantifying the risk is akin to a roll of the dice. It’s particularly important for C-level executives and board members to objectively understand the security risks that threaten their company’s information and to prioritize, and assign appropriate security resources to avoid security breaches.

Relying on internal reports of the status quo can be particularly problematic when you need to have all the facts. Implementing a third party, calculated risk valuation of your internal security systems is the best way to ensure that you have an objective, big picture understanding of the ever-present risks that threaten your data security.

Determine the Impact

You may have tens, even thousands of “red flag” issues that need to be remediated. Quantifying the impact of each risk should be based on the potential residual damage it can have on your business such as, downtime, reputational impact, legal liabilities, flight of investors and customers.

Determine the Frequency (H3)Similarly to how publicly-traded companies use third party internal and external auditors before SEC financial reporting for maintaining the objectivity and integrity of the financial data reporting, companies should also use this third party approach for their cyber-security status reporting.

Now What?

The following are three steps I recommend you take to better understand and manage your cyber-security initiatives:

 

1. Quantify Your Risk

Whether yours is a startup or an established company, it’s imperative to quantify the risks that exist in your information security environment. Subjective, internal decision-making processes can unintentionally omit crucial factors and the degree of risk your company faces. For example, if you use a “Red, Yellow, Green” alert system, you could be missing high-impact security issues within the “Red zone” whose remediation needs to be prioritized.

Implementing a data-driven approach within your current systems is the best tactic to determine if you’re effectively prioritizing and remediating imminent security risks.

How do you do this? Take a look at this simple analogy:

“Is the risk in question a 1st-floor leak or a 10th-floor leak?”

In other words, you’ve got two leaks happening simultaneously, but the residual water damage of a 10^th floor leak is far greater than the one on the 1^st, so best attend to it first.

How should you quantify your risks?

 

Now it’s time to focus on the frequency of these events, which is based on an estimate of how likely a risk is to occur without the consideration of existing management and control effectiveness. It should then be rated (slight risk, likely, or expected) based on the experience of companies of a similar size, scope, and industry focus.

Do the Math

Once you’ve assessed the impact and frequency of events, you should assign a numerical value, or a score, to each based on your findings—from minimal impact (1 point) to critical impact (5 points); this will provide you with a scientific, and mathematical approach to calculating your company’s inherent risk of a data breach.

Impact x Frequency = Inherent Risk

By taking these steps, you’ll create a proactive, numbers-based system that will help you determine which issues are your top priority.

 

2. Pick Your Battles

Full disclosure of the risks that threaten your company’s cyber-security is of the utmost importance. The monthly or quarterly reports you receive from your internal I.T. department certainly covers what’s happening in the now, but are they telling you the whole story? Here’s where a third party technician SME (subject matter expert) can root out the Delta, or the unidentified variable, that might be the iceberg to your Titanic!

Consider the above analogy: It’s important that you prioritize which risks to transfer, which to deny, and which to mitigate based on their impact and frequency. Now that you’ve got your scoring and rating systems in place you can apply the equation—Impact x Frequency = Inherent Risk—to create a prioritized list of events that need to be remediated.

 

3. Dedicate a Budget

No company has an unlimited budget to dedicate to their security resources, but ensuring that any unauthorized or criminal use of your data is abated must be a top priority. Limited internal resources can also be a factor when considering the implementation of an on-risk quantification approach to security systems management.

That said, senior executives should be asking themselves,

“What’s my risk appetite? Can I afford to have one breach per year or every five years?”

 

“Do I have quantified risk analyses in place?”

Chances are the answer is “No.”

In my experienced opinion, it’s times like this that a company should seek out a third party objective risk assessment, and quantification of their existing systems and risk factors. A fresh look at the status quo by a dedicated subject matter expert provides an excellent and cost-effective means of gaining control of your information security systems.

 

There will be a breach. Are you ready?

In today’s rapidly changing cyber-security world, it’s all about picking up the right battles based on CRV (calculated risk value) driven approach! Security breaches will happen, but how you approach and manage these risks will determine the wellbeing of your company’s future. Effective organizations implement third party CRV based risk mitigation plans to transfer, deny or accept and mitigate risks . Implementing risk quantification based prioritization will not only improve your remediation efforts, but also help you manage your limited security dollars effectively.