This article is part of the series "CEO vs. CSO Mindsets". Check out the rest:
In the last post, I brought up the cultural differences between CEOs and CISOs. One group is managing and growing the business, using spreadsheets to game plan various money making scenarios. The other is keeping the IT infrastructure going 24/7, and studying network diagrams while tweaking PowerShell scripts. I think you know which is which.
The point of this series is to bridge the divide between these two different tribes. In this post, I’ll be dispensing advice on how CISOs and CIOs can begin to convince their overlords — CFOS and CEOs — to pay for data security software. And the first step is to get a better understanding of how CEOs do their work.
Instant MBA for CISOs
The cultural problem begins at business school. No doubt there are more than a few CISOs and CIOs with MBAs but most of them are too busy learning about the latest pen testing techniques or studying for their next IT certification.
However, I can save CISOs two years of study and hundreds of thousands of dollars in tuition. I’ve taken a brief tour of a typical MBA syllabus and can boldly say that everything you need to know about higher-business thinking can be distilled in a simple example.
Let’s say, as they do in a typical B-school assignment, you have $500,000 to invest. If you put it all in a savings account, you can earn a risk-free 1% per year or $5000. Or you have a chance to take a stake in some tech startups for $10,000 a pop. In this example, you have a 1 in 20 or 5% chance of cashing in at a later round of startup financing to the tune of $400,000.
Which option is better?
MBA students learn about such higher-concepts as the law of large numbers, and they effortlessly calculate the average return on the above investment. They know in the long run they’ll come out ahead with the startup investments, and in the short run they’ll have to deal with the cruel winds of Fortune (and gambler’s ruin).
So with the 50 investments in startups, you have a 72% chance of yielding two or more startup victories, and cashing out for at least $800,000. On the other hand, you can lose the entire $500,000 investment 28% of the time. But the payouts will ultimately cover the losses and give a profit to boot — an expected payout of $1 million for a profit of $500,000.
What does this have to do with convincing executives to invest in data protection software?
Let’s say the CEO has a spreadsheet — trust me, she does! — showing revenues and costs projected over the next few years. Of course, she’s assigned various weights or probabilities to different scenarios and calculated an average payout for each.
Here’s the bad news for CIOs and CISOs. While the standard IT reports, charts, and statistics are essential to understanding the companies current security status, they are not useful in themselves to CEOs. You’d get a “so what?” if you showed them a graph of the number of bots probing ports on an hourly basis.
In justifying an investment in new data security software, a CEO wants to know how data security software will bend or shape the projections in the spreadsheets.
To convince the other C-levels and/or the board of directors, the CISO will have to prove that a breach, with some non-trivial probability, can occur that will cause a significant loss involving legal costs, regulatory fines, class action suits, and customer churn. And then explain how the proposed security software will ultimately pay for itself by protecting against these breaches, thereby keeping the business plans on track.
Data Breaches and Risk
This is not a unique problem in business decision making. Some of the ideas and support tools I’ll be discussing below may be new to CIOs, but they can be learned and applied easily for anyone who’s done even the simplest model building.
First, let me give a shout out to the Cyentia Institute and a gold star to the FAIR Institute. You can noodle on these things on your own, as I did, but it helps that FAIR has a systematic methodology to arrive at an analysis that any CEO would be happy to hear out.
For the naysayers who think this is all guesswork and mathiness, there are more real-world datasets available than you might at first think, and the methodologies I’ll be discussing are more accurate than being guided by intuition alone.
FAIR’s approach forces you to delve into two areas: the magnitude or cost of a data breach incident, and the frequency at which these attacks arise. From that you can come up with a reasonable estimate of the average cost of dealing with breaches over a given time period.
Let’s take up the first part, the cost of a breach. Actually, this is not a single number! It’s really a distribution of percentages — say, 10% of breach incidents cost less than 10,000, 15% are $30,000 or less, etc. This distribution of losses goes under the fancy name of exceedance or excess loss probabilities. In the real word, insurance companies produce these distribution charts to work out auto or home policies for their risk pools.
Can you work out an exceedance probability for your own situation?
You may have to do some digging and perhaps basic model building. However, for healthcare breaches in particular, we have an embarrassment of riches thanks to HIPAA!
I was able to take the last two years of HIPAA breach report data and calculate losses based on Jay Jacob’s breach cost regression formula. The loss distribution comes from ranking the costs from smallest to largest and calculating the percentages. My approach is not quite a true excess loss, but we’ll take that up next time.
It’s worthwhile to ponder the above, and note how the incidents cluster at the base while the tail has fewer but more enormous incidents: in the tens of millions, with one weighing in at over $100 million dollars. I’m smelling a fat tail!
As a sanity check for my dataset, I calculated the average cost of a health incident to be around $4.2 million. This is in the ballpark of Ponemon’s incident cost numbers — you can check the 2018 report for yourself. I can do more analysis of this curve, but let’s give ourselves a break.
In short, if you’re a hospital or insurer and are hit with a breach, there’s a small chance you’ll really get whomped!
This is exactly the kind of information a hospital CEO would want to know! However, to derive a more practical answer, you’ll need to guesstimate the chances of your organization getting breached in the first place.
We’ll go over some of this again next time, and then try to work out a more complete argument to make to CEOs and boards to support buying data protection software.
If you want a homework assignment, review Evan Wheeler’s informative and strangely calming RSA presentations on cyber risk management. It’s a big subject with lots of variables and unknowns, but Evan breaks the problem into more digestible portions using the FAIR methodology. Bravo, Evan!