Spending on IT security is a fact of life. According to Gartner, global spending on information security will reach an estimated $212bn in 2025, up by 15% in 2024. This is a huge amount of cash going into protecting company systems against attack.
Yet this level of spending on IT security is not keeping attackers out. According to Cybersecurity Ventures, ransomware attacks will cost businesses $265bn globally by 2031. The financial gain from attacks is what keeps bad actors interested.
For companies that are spending more and more on their security, how can they stop potential attacks and keep their operations secure?
A famous quote attributed to Albert Einstein is doing the same thing over and over again and expecting a different result. For security teams, increasing their spending on IT security is necessary, but how can they break the cycle of ever-increasing budgets and potential impact?
Is it even possible to step off the path and take a different approach? The answer lies in how we think about risk.
Defining risk across the business
For IT security teams, risks are normally categorised as new software vulnerabilities or insights from threat intelligence. However, this is not the same approach that other teams across the business use when they think about risk.
IT security teams should approach risk in the same way that finance or compliance teams do, considering risk from a business perspective. In his book, How To Measure Anything In Cybersecurity Risk, Rich Seiersen defines risk as “… a state of uncertainty where some of the possibilities could lead to loss, catastrophe, or some other undesirable outcome.”
Why can this definition help security leaders be more effective? Because it puts a monetary figure against any and every risk that could come up.
This exercise is termed Cyber Risk Quantification (CRQ), and it aims to provide a consistent method for judging cyber risks alongside other business risks. CRQ involves putting specific monetary values on potential attacks based on the impact that they might have on the business. It also looks at how likely those attacks might be based on the company’s current risk management and mitigation approach. This model is commonly used to define how a company might use cyber insurance to cover its operations in the event of an attack, but it can go further.
What CRQ provides is a way to discuss risk across the entire organisation in a consistent way. For finance leaders like the CFO, it makes cybersecurity easier to discuss potential risks and impacts rather than looking at technology specifically. For the board, CRQ should provide evidence that the investment in cybersecurity delivers a result around risk reduction over time.
Making risk management operational
Putting specific figures on risks is the first step to improving risk management. But it is only the beginning of the process that you should take. To actually eliminate risk over time and work with other departments like finance and compliance to turn theory into reality, you have to operationalise those processes around risk.
For any team, getting figures around financial impact is a significant first step. However, actually making the process work continually over time requires a dedicated approach to risk operations. In the same way that security teams and IT operations departments use a security operations centre or SOC to control responses to new threats, a risk operations centre (ROC) uses the data coming in around potential threats to judge which ones are the most pressing to respond to and how that response should be managed. Using the financial data around those threats supports more collaboration across the business so that actions can be taken in the fastest and most efficient way.
The ROC and the SOC will fit alongside each other. While the SOC handles specific threats or risks to the organisation around the technology stack and then orchestrates fixes, mitigations or other responses, the ROC provides that information to the rest of the business so that the organisation can understand and mitigate risk in context. Why is that difference important? Because the ROC approach is not just concerned with the technology side but also supports the business and how it delivers its strategy.
Controlling potential losses
Strategy in this scenario is not just about selling a product or delivering a service. It goes much higher than that and defines where the company thinks it can succeed over time. Every company is in the business of creating more value for more customers in more places over time. Each of those decisions around where to sell or new digital channels to reach customers faster will affect that risk position and thus affect the IT security position as well. Without that insight or ability to pass information on risk back and forth between IT and the business, managing risk is less effective, and IT security teams are not able to deliver what the company needs.
Using ROC, IT security leaders can, therefore, engage with the business and support that strategy element over time.
In effect, your ROC should be at the centre of how risk is visualised alongside how value flows into the business. By analysing that risk over time, the ROC can manage actions that remediate or mitigate risks or use insurance to transfer that potential expense out. This combination of security mitigation and cyber insurance for response makes it easier to control potential loss over time.
Implementing a ROC in your organisation involves developing your CRQ approach and then collaborating across the business with other departments on how to prioritise and control risks over time. Without that accurate overview of your own environment – and how much any specific risk will cost – it is impossible to collaborate effectively and turn the theory around risk management and reduction into practical operational performance. In turn, this makes it hard to support business strategy.
With so much at stake around security and business performance, changing the approach to work with the business around risk operations with ROC is a necessary move for the future.
