Monetization of Cyber Risks Has Made the Security Industry. Now It’s Slowly Killing It.
The idea of cybersecurity risk being a part of the business operational subset was around since the early days of IT security. BS7799 which subsequently evolved into ISO27001, as well as CObIT and COSO ERM, have all included IT security risks as a part of the technology risks subset. The intention was to communicate these risks to the organization’s management team and, if necessary, to the board.
One of the challenges encountered by technology risk practitioners early on was the quantification of risks they identify as part of their job. Without proper quantification of risks, the management cannot assess the impact to operations and bottom line and agree on mitigation strategies. With risk management thought leadership driven by financial and actuarial industries, the dollar became the de facto measurement unit for technology and security risk.
In finance, insurance, and even manufacturing, the dollar as a measure of risk makes perfect sense as direct or close estimates of loss can be calculated. However, when it comes to technology, the dollar figure assigned to the value of data or operational value of a particular technology is an arbitrary figure. With no generally agreed upon principle of calculating these values or widely adopted cybersecurity risks quantification models, the figures will significantly vary depending on both the expert and the purpose of the calculation.
Yet, these arbitrary financial quantifications of cyber risk became the cornerstone of the cybersecurity industry. Most organizations have a financial motivation to either earn money (businesses) or save money (public institutions). Therefore, it is natural for the management to make their decisions based on the dollar figure assigned to a specific risk. Early on, cybersecurity sales and marketing realized that the only way to influence a decision of the executive who has a little understanding of technology, let alone cybersecurity is by presenting, often inflated, risk quantification figures.
The approach allowed vendors to sell the security when no one saw it as a significant risk to operations and shaped the approach to cybersecurity sales for the years to come. It has contributed to the rise of the industry and the capability to thwart many cyber attacks from advanced threat actors. The monetization of cyber risks enabled a significant influx of funds and minds into the security industry, something that would not have happened otherwise. It has also given rise to “Economics of Cybersecurity,” where the imaginary ROI on cybersecurity investments could be measured and positively contribute to the organization’s bottom line.
From a psychological perspective, it is easy to understand how ROI became the figure to measure investment in security. Both Risk and TCO are closer to the real-life figures, produce negative emotions by negatively impacting the bottom line. ROI, on the other hand, is a positive figure that puts the decision-maker in a good light. The problem is that risk mitigation has no ROI because the risk is not a milestone or goal of a business decision process. We are paying for insurance, but we are not looking forward to collecting a payout one day. When a government is buying a fighter jet or building a submarine, there is absolutely no ROI expectation – just the cost of reducing geopolitical security risks. The investment in cybersecurity is all about smoothing the bump on the road of normal business operations. It’s about survival and not losing a lot of money in the unpredictable, high-impact event.
While business leaders and the boards are increasingly aware of various cyber risks, they keep falling into the trap of monetization of these risks and security ROI discussion. Decisions made based on monetized cyber risks also have a significant impact on organizational cybersecurity strategy, which in the end negatively affects organizational security posture, making it less resilient to incidents impacting the business continuity.
To understand the fallacy of cyber risk monetization, let’s divide the risks into three categories. The first one is risks related to known threats that are relevant to the organization under current circumstances. These are the risks where we have high visibility and understand what’s going on. The second one is risks still related to known threats, but where we do not fully understand how and under what circumstances they will affect the organization. We have lower visibility of these risks and have no certainty as to how these may apply to us. The third category is the risks related to threats are not aware of – the “unknown unknowns.” This is the most dangerous underwater part of the cyberthreats iceberg.
Both second and third categories pose the most threat to business continuity and organizational survival. Yet with challenges to monetize these risks, security vendors, influencing business decisions have the management and the board focusing on first, a more predictable and less dangerous category of risks, by applying the quantitative financial measurement to these and converting it to security investment ROI.
As a result, the cybersecurity strategy in most organizations is focused on chopping away the visible part of the iceberg above the waterline while ignoring the sizeable underwater part of it. Security vendors are focused on selling prevention that may be 99.9% effective, yet the 0.01% is the unknown, high impact event that may shut you down. Resilience especially focused on the unknown risks, should be a part of every organization’s cybersecurity strategy, yet because of the inability to monetize these risks, the visibility on senior management and the board level remains low.
We a steadily growing number of cybersecurity incidents and ransomware pandemics, the trust in the industry is slowly eroding. The recent wave of supply chain attacks, culminating in the SolarWinds breach, has shown a lack of strategy and security hygiene even among the industry leaders. Colonial Pipeline ransomware attack became the proverbial red line, and governments can no longer be silent observers in cybersafety. Ransomware payments are becoming illegal, and insurance companies are refusing ransom payouts under cyber policies. Regulations are coming, and organizations should expect prescriptive instructions of what they should and should not do as part of their cybersecurity. While the industry will survive, the golden age is no more with less creativity and fewer business opportunities to be available.
The monetization of cyber risks and the “economy of cyber” is a dangerous addiction that our industry has due to growth gluttony. Many technology vendors and their resellers have little regard for the actual cybersecurity needs of their clients, maximizing the present revenue. They have little concern that the erosion of trust will undermine the industry growth as a whole in the long run. For better or for worse, the cybersecurity industry has gotten itself into a tricky situation, and it can only save itself by starting to educate the leadership on the actual value of cybersecurity. The one that does not have any real ROI.