What’s the best way to describe security risks in terms of business impact?
Sort by:
What is the currency of your business? For most business, it is money. But for others, it can be something else. If it is a fire department, their currency is the number of life they can save. Translate the security risks to the currency in your business.
Personally what has worked well is mentioning that bonuses will go poof if we have a large enough breach and that there's a material impact on operations. People tend to take risk far more serious if the impact is directly relatable to them (in this case their $).
Girish Malangi would love to get your take on this
I was having this dialogue yesterday with somebody I was mentoring that was having this problem. And they were junior and just picking up some senior roles. And I was like, "Go focus on what's an extinction event for your company. What could make them go out of business?” And I gave her an example of a dialogue I had several years ago with a peer in the food and beverage industry. Their board and CEO didn't care about cybersecurity. And I'm like, "look, let's get real. What's your number one enterprise risk?" And they're like, "Well, okay. Lettuce tainted with e coli or hamburger meat gone bad." And I said, "Okay. Food safety is your number one enterprise risk." And they're like, "Yeah. Because people will die on the other end of it if they get severely ill." I was like, "Okay, great. What's your cybersecurity program for your food safety data?" They didn't have one. They were focused on PCI compliance and stuff like that. I was like, "That's a revenue risk." They can take that risk all day long. And you just told me you weren't focused on the integrity of the food safety data or adequately on the availability of it. And people will die.
When you start putting it in those terms, it really simplifies it. It gets muddier when you go down the stack. But I mean, I could tell you from Intel because I did this circuit 2002 book order, pay, build, shut, close, communicate, macro business processes. And there were temporal aspects to it, right? For revenue, for coordination, stuff like that. And the macro technology risk issue would have been the equivalent of what happened with SolarWinds. Somebody got into my network, and manipulated my product, and then took the compute stack out at a Silicon level. Extinction level event, right? Material risk. I know I've oversimplified it but I think if people think that way, it's the survival thing. You can live three minutes without air, three days without water, but three weeks without food.
In the context of the government and outside of very specific communities like the military, special forces, Intel operations, things like material risk are just not concepts that most of the federal government focuses on. Obviously, if you're a regulatory agency and you're all about food safety, you may really focus on that. But at the macro strategic level, it is difficult to recall any conversation where this kind of concept of material risk was brought up and discussed. And I think there could be a lot of value in trying to inject some of these ideas into how the executive branch in particular thinks about its risks around cybersecurity, data integrity, data availability, and the like. It'd be nice to find a way to inject that concept into a dialogue and say, "Okay, stop thinking about the way that you like to articulate how you approach these issues. And tell me about it from a material risk standpoint. Tell me what would be an existential event for the Department of Health and Human Services in terms of cyber."
Well, I mean, you look at it and you go, "The OPM breach was an existential threat that they weren't properly managing." Right? Yet the implications of it were absolutely material.
A lack of security can have a significant real impact on manufacturing. IoT means when security is lacking, things may stop working. This story below is just unfolding right now. https://www.honeywell.com/us/en/press/2021/03/update-on-honeywell-it-system