A value-driven approach to cyber security would help businesses understand where to spend their cyber security budget, and how much to budget.
One way to estimate how to spend cyber security dollars is to look at the set of controls needed from a cyber security perspective (e.g. the CIS 20 Controls) and start implementing them in order, i.e. implement one until it is “good enough” and then move on to the next. The upside is that the approach is simple, but there are problems with this approach:
1. When is a control “good enough” to warrant moving on to the next?
2. It assumes the controls are ordered and independent
3. Technical controls are hard to relate to business value
A similar approach would be to group them (as done by the CIS top 5) and implement those as a group. This solves the first problem – but is only a partial solution to the second. For example, controls 6, 1, 2 and 3 are crucial controls with the most dependencies on them, not 1-5 – so maybe that should be the first set. Also, this approach also doesn’t address business value.
A better, business oriented approach would be to look at cyber value-at-risk (VaR). Cyber-VaR is an estimation of the likely loss from cyber-attacks over a given period of time. VaR is a monetary amount given to the losses. This approach is a business approach immediately understandable by executives. The problem is that for 99% of companies there is no way to gather the data to allow them to measure their cyber VaR. Measuring cyber VaR requires a holistic view of cyber security that relates controls to assets as well as to value, risk and historical data.
This is where a cyber security platform could make huge difference, providing the holistic view and data needed to enable cyber-VaR accounting as a measure of the value of security controls. Companies would be able to tailor their cyber security investment to their specific risk profile and needs.