Put Risks In Financial Terms

Organizations should look to mature their risk management approach to make it easier to assess true business impact, according to RSA's Schlarman. Companies often start by rating the risk associated with each component either green, yellow or red, and while a traffic light system is easy to understand, organizations struggle to decide which of the red-rated issues is the most important.

Next, organizations will move to a cyber-scoring system, which Schlarman said makes it possible for companies to base their decision off the relative impact of the issue, but it still doesn't really achieve business understanding. The final step, Schlarman said, is putting each risk in financial terms by measuring the company's potential loss exposure.

Companies can often look at past loss events to inform what dollar amount should be associated with their risk exposure, Schlarman said. If there's not enough data to undertake a historical approach, Schlarman said walking through different risk scenarios, Monte Carlo simulations, or the Factor Analysis of Information Risk (FAIR) methodology can help companies generate a specific loss exposure figure.