Quantifying Risk: How To Have The Right Conversation About Security To Increase Sales
If solution providers want to make the business case for security to their clients, they need to have the right kind of conversation about risk, Director and Chief Economist of the U.S. Cyber Consequences Unit Scott Borg told channel cybersecurity executives.
Where security sales normally go wrong is when the discussion with clients includes false promises, gets too technical or focuses on fear or bogus cybersecurity metrics, Borg said, speaking at the XChange Solution Provider 2017 conference's Security University Saturday, which is hosted by CRN parent company The Channel Company in National Harbor, Md. this week.
Instead, Borg said the solution providers in the audience should have conversations around the business risk of security. Specifically, solution providers should look to quantify the risk cybersecurity poses to a business, and then focus on how technology can reduce that risk and make it as manageable as possible, he said. Having a conversation about the direct risk value cyberattacks pose to a business helps business leaders understand the real impact an attack might cause on their business, and, from there, make informed investment decisions about opportunity cost and risk tolerance.
"Risk is what we live with in business. Everything businesses do has elements of risk… Cybersecurity [professionals] shouldn't think they have to eliminate cyber-attacks and their bad consequences altogether, when nothing else in the business world works that way. Instead, make discussions about how to keep cyber-attacks to an acceptable, cost-effective minimum," Borg said.
Borg defined risk as "annualized expected loss." For cybersecurity, risk is calculated by multiplying the threat, consequences and vulnerabilities together, he said. He defined the threat as the nature of the threatened cyberattack, the percentage likelihood of a serious attempt, the potential magnitude of loss, the degree of vulnerability given a certain policy and the expected loss with a given policy.
Consequences are determined by what the effect of an attack would be, subtracting what substitutions after an attack might occur, the duration, and any secondary effects it might have on the supply chain, contracts, business obligations and more. Vulnerabilities include the ability for attackers to find, penetrate, co-opt, conceal and make irreversible damage across hardware, software, networks, automation, users and suppliers. The key, Borg said, is to increase the cost to attackers where the risk is greatest.
Solution providers shouldn't get hung up on making the numbers too accurate or specific, Borg said. The point, he said, is more to put the conversation in business terms with a "back of the envelope estimate" and to make a convincing argument for purchasing decisions to lower annualized expected loss from attacks.
Jeff Sumner, CEO and co-founder of Hudson, Ohio-based Corporate Technologies Group, said he also sees clients looking to have more business-oriented conversations around cybersecurity risk, especially when it comes to CEOs and boards of directors. He said those types of conversations help get the technical and business teams on the same page when it comes to security risk, and ultimately open up more budget to solve a quantifiable risk.
"The CEOs want to hear it from someone else. The CIO or the director of technology are not threatened when someone tells the CEO [about security risks] because they're trying to get them [on board] and get budget, but they may not otherwise get it because they are seen as just asking for money. Now you have someone else coming in defining the risk it poses. That's a different conversation," Sumner said.