Beate Zwijnenberg: Can Cyber Risks be Quantified?

It’s difficult to quantify risk – some CISOs say it can’t be done – but there is a business case to be made for cybersecurity measures and controls (information sharing helps). Beate Zwijnenberg, ING CISO and member of FS-ISAC’s Global and European Boards, explains her approach to quantifying risk and communicating metrics relevant to senior management priorities. And she explains why DORA’s pillars may increase the sector’s resiliency as it matures the supply chain’s cyber defenses.Quantifying Risk The possibility of accurately and precisely quantifying risk is a matter of some debate among CISOs. In one sense, such metrics are available, insofar as they apply to the link between cyber risks and financial services organizations’ capital reserves.  But precise quantifications of the impact of cybersecurity strategies, policies, and investments on the business are much more difficult to ascertain. Determining success on those measures requires knowing the likelihood of various attack patterns or threat actors, which is often a matter of professional judgment.  Making a Business Case CISOs can, however, quantify aspects of risk management by measuring investments and controls against business issues such as financial losses, reputational risk, and operational effectiveness or efficiency. Another potentially useful approach, Beate says, is a comparison to peers on a cybersecurity maturity index.  Moreover, information sharing and incident reporting clarifies the potential for and impact of different kinds of attacks, which helps ICT teams gauge the success of their cybersecurity measures and controls.  Communicating in a Business Context Communicating risk management within a business context helps executives and board members know what to ask, track, and expect of CIT. One effective approach communicates risk management by emphasizing capability – such as risk management practices, in-depth assessments on outstanding threats, and progress on strategic programs. Another takes a control implementation perspective, covering open front ability management, progress on strategic goals (such as improving capabilities in prevention/detection /response) or on ongoing change initiatives.  DORA Pillars:  Prescriptive, but Effective  Financial services CISOs will likely find DORA’s risk management practices familiar, if somewhat prescriptive – such as those regarding front ability scanning. Nonetheless, CISOs may need to adjust internal policies to translate requirements into their own IT risk management framework. Real-life testing is the best way to prove the efficacy of DORA’s mandatory control framework on institutions’ cyber practice and will aid the sector’s resiliency. Incident reporting may advance the cyber maturity of the supply chain as well.  Standardization A major benefit of DORA is the potential for standardizing risk management practices applying to contracts within the software supply chain. Each firm’s unique contractual clauses regarding IT risk management standards, frameworks, and/or requirements with third parties inhibit automation. Standard contractual clauses centralized within end-to-end connections will improve efficiency and effectiveness across the sector.  CISO Skills Stakeholder management skills make CISOs more effective. Because cyber incidents can be so operationally disruptive, CISOs should connect with various organizational functions – particularly finance, legal, and privacy – to streamline their approaches. However, CISOs and other executives may have very different perspectives on the business, or even how to parse problems. Beate recommends understanding other leaders’ business perspective, and finding the right moments to orchestrate initiatives and develop more productive relationships.