Risk is a number

It’s a dangerous world. Companies need a unified approach to managing risk

Flowstate: Cyber Risk Management

Risk surrounds us, as any parent or actuary will tell you. At a high level, Merriam‑Webster defines risk as “the possibility of loss or injury.” Insurers, lenders and investors make business decisions every day by calculating the probability that a given loss or injury will actually occur, whether it’s death, default, or a market crash.

More formally, statisticians define risk as the spread in values across a given set of probabilities. Also known as variance and/or volatility, this spread can be expressed as a number. Investors typically use variance statistics to measure the risk they assume when purchasing a given security.

Inside companies, however, different constituencies speak different languages when it comes to risk. For example, security pros have traditionally measured risk in operational terms. In a risk presentation to the board of directors, a chief information security officer (CISO) might announce, “Good news! We’ve reduced our vulnerable assets by 40% year over year.”

Cue glazed eyes around the boardroom table. The disconnect happens because business leaders define risk mainly in financial terms, not operational ones. For them the core question is always: “How much will it cost us if this dreaded event comes to pass?”

To win over peers and leaders outside the security domain, CISOs need to couch risk in business terms. The same board presentation might go like this: “Good news! We successfully reduced our cyber risk from a range of $100‑200 million year to a range of $25‑80 million a year, because we reduced vulnerable assets by 40% year over year.” Now cue head nods around the table, and perhaps a lavish annual bonus for the CISO.

The same rules apply to any risk conversation inside a company. PR pros think about reputational risk. HR leaders worry about flight risk. CFOs and general counsels obsess about financial and compliance risk. CIOs are paid to worry about IT risk, which includes everything from event management to cloud sprawl, cloud compliance, availability, resiliency and vulnerability.

If you want the board’s attention, you need to quantify all these risks in terms of their business impact, measured in dollars or the currency of your choice. And if you’re looking for budget approval as well, it helps to contrast the relatively modest sums needed to mitigate security risk with the massive financial impact of a major breach.

“A $2 million spend to mitigate billions in risk is a no‑brainer for the board,” says my colleague Sean Convery, VP and general manager of the security business unit at ServiceNow.

For more tips on how to get your board’s attention, check out Kristin Burnham’s nearby article, “4 essential CISO skills.” Spoiler alert: They include rock star level communication skills, business acumen, strategic vision and a learning mindset.

This isn’t just good advice for CISOs or even C‑level executives. Anyone who aspires to a successful business career needs the ability to get out of the operational weeds and frame risk in business terms. Failure to do so is downright risky.