What’s the best way to describe security risks in terms of business impact?

5.2k views2 Upvotes7 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed
I was having this dialogue yesterday with somebody I was mentoring that was having this problem. And they were junior and just picking up some senior roles. And I was like, "Go focus on what's an extinction event for your company. What could make them go out of business?” And I gave her an example of a dialogue I had several years ago with a peer in the food and beverage industry. Their board and CEO didn't care about cybersecurity. And I'm like, "look, let's get real. What's your number one enterprise risk?" And they're like, "Well, okay. Lettuce tainted with e coli or hamburger meat gone bad." And I said, "Okay. Food safety is your number one enterprise risk." And they're like, "Yeah. Because people will die on the other end of it if they get severely ill." I was like, "Okay, great. What's your cybersecurity program for your food safety data?" They didn't have one. They were focused on PCI compliance and stuff like that. I was like, "That's a revenue risk." They can take that risk all day long. And you just told me you weren't focused on the integrity of the food safety data or adequately on the availability of it. And people will die. 

When you start putting it in those terms, it really simplifies it. It gets muddier when you go down the stack. But I mean, I could tell you from Intel because I did this circuit 2002 book order, pay, build, shut, close, communicate, macro business processes. And there were temporal aspects to it, right? For revenue, for coordination, stuff like that. And the macro technology risk issue would have been the equivalent of what happened with SolarWinds. Somebody got into my network, and manipulated my product, and then took the compute stack out at a Silicon level. Extinction level event, right? Material risk. I know I've oversimplified it but I think if people think that way, it's the survival thing. You can live three minutes without air, three days without water, but three weeks without food.
1 2 Replies
CEO in Healthcare and Biotech, 2 - 10 employees

In the context of the government and outside of very specific communities like the military, special forces, Intel operations, things like material risk are just not concepts that most of the federal government focuses on. Obviously, if you're a regulatory agency and you're all about food safety, you may really focus on that. But at the macro strategic level, it is difficult to recall any conversation where this kind of concept of material risk was brought up and discussed. And I think there could be a lot of value in trying to inject some of these ideas into how the executive branch in particular thinks about its risks around cybersecurity, data integrity, data availability, and the like. It'd be nice to find a way to inject that concept into a dialogue and say, "Okay, stop thinking about the way that you like to articulate how you approach these issues. And tell me about it from a material risk standpoint. Tell me what would be an existential event for the Department of Health and Human Services in terms of cyber."

Board Member, Advisor, Executive Coach in Software, Self-employed

Well, I mean, you look at it and you go, "The OPM breach was an existential threat that they weren't properly managing." Right? Yet the implications of it were absolutely material.

GVP in Software, 10,001+ employees
 would love to get your take on this
Director of Information Security in Energy and Utilities, 5,001 - 10,000 employees
Personally what has worked well is mentioning that bonuses will go poof if we have a large enough breach and that there's a material impact on operations. People tend to take risk far more serious if the impact is directly relatable to them (in this case their $).
Director of Information Security in Energy and Utilities, 1,001 - 5,000 employees
What is the currency of your business? For most business, it is money. But for others, it can be something else. If it is a fire department, their currency is the number of life they can save. Translate the security risks to the currency in your business.
Director in Manufacturing, 1,001 - 5,000 employees
A lack of security can have a significant real impact on manufacturing.  IoT means when security is lacking, things may stop working.   This story below is just unfolding right now.     https://www.honeywell.com/us/en/press/2021/03/update-on-honeywell-it-system

Content you might like

Founder, Self-employed
Work travel is a privilege. Embracing your experience to meet new people, and see the beauty of nature and culture wherever you go.
Read More Comments
68.1k views69 Upvotes40 Comments

Once a month6%

Once a quarter44%

Once every 6 months16%

Once a year15%

We do not run ransomware simulations currently.16%

Other (comment below)0%


1.4k views1 Upvote

Cyber insurance with ransomware coverage44%

Law enforcement contact(s)44%

Ransomware response plan60%

Ransomware task force/team38%

Bitcoin account for ransomware payments15%

Disaster recovery site33%

Other (comment below)1%



Community User in Software, 11 - 50 employees

organized a virtual escape room via https://www.puzzlebreak.us/ - even though his team lost it was a fun subtitue for just a "virtual happy hour"
Read More Comments
7.6k views26 Upvotes58 Comments