Building a Defensible Security Budget: Making the CFO Your Best Advocate (Part 2)

This blog post is the second of two supplements to the first webinar Richard Seiersen , and I delivered on March 2, 2023. We welcome you to join us in our upcoming webinar on April 5th.

Our last post discussed how to speak with the money people qualitatively, in their terms, to effectively align your budget with their motivations. In addition, you'll need to think like them quantitatively (i.e., in terms of ROI), which we'll explore in today's article.

By this, we mean that you will need to develop a quantitative model that spells out the actual costs for each of the groups of capabilities you initially intend to consider and the anticipated rate of return for implementing them.

Without getting into the calculations employed, I’ve laid out an influence diagram that illustrates the essence of an example quantitative ransomware model you will need to build for this next level of thinking and planning.

The model shows that there are sets of Control Capabilities and relevant Capability Maturity Levels that you can use. This is the space of your decisions.

Ransomware may or may not strike your organization. We talk about that possibility in terms of probability. Specific combinations of capability levels can affect the Probability that your organization will face a reportable Loss Event. The probability is conditionally related to your choice of capability levels.

Ransomware event losses are composed of several contributing loss types (the value at risk) that together represent the Total Potential Loss you would face if the ransomware event materialized. The Total Potential Loss could fall from $0 to $10Ms or more.?

Since the loss events would occur at different likelihoods for given capability levels, the Realized Losses will vary as a direct relationship to your control choices.

The Avoided Loss represents the difference between the Realized Loss for your current capability level and a more aggressive capability level you want to test.

However, each capability level carries a Cost of Control Level distributed like losses, although not as large or wide.

When we calculate the ratio of the Avoided Loss to the cost of a tested capability level, we get the Return on Controls for that capability level. We will focus our budget on the Return on Controls and Realized Losses.

You will need to represent your version of this model (and models of other threat sources) in a quantitative modeling tool. If you follow our remaining webinars, we will provide a simplified solution in Excel and guidance on establishing reasonable event probabilities and distributions for losses and controls. Larger enterprise models require more advanced cyber risk quantification tools, like our online Cybersecurity Enterprise Risk Model.

One of the outputs of your quantitative model should be a table similar to the following. The Cost column represents the investment required to achieve the desired capability level. The ROC column represents the average return on controls for a given capability level that you test against a current capability level [Please see footnote '1' at the end of this article].

Optional: Re-Thinking Capability Levels

Much debate revolves around maturity and capability levels. That’s because they are ambiguously applied. This is solvable by using exact language. When we say something has met a certain level, we mean that specific, empirical, and mathematically unambiguous evidence supports that assessment – that would hold up under audit. For example, when we say “Deployed,” we mean “Evidence of 90% or better coverage for the last 90 days.”?That, of course, is a “standard.” We are not claiming it’s the best or a universal standard. Given your context, you must choose what standards, SLAs (service level agreements), and other concrete performance factors matter to your organization.

At this point, you want to focus on those controls that, after evaluation, suggest that they will generate negative returns. Eliminate these from your budget.

Notice that this part speaks to the Operating Costs and Capital Efficiency fundamentals we considered in our last post.

You should recommend a budget for those remaining controls that generate risk-adjusted positive returns, and thus you will spend no more than is necessary and that is economically rational. Notice that before you accounted for the negative returns, your budget in this hypothetical case would have been $1,110M; however, the optimized budget you would deliver to the money people will be $760K, or $350K less than your initial inclination. Make sure to mention the savings you’re passing on!

The skeptic in you might think you should spend money on those eliminated controls because not doing so will expose you to more risk and make you guilty of moral hazard [2] (assuming you already have an insurance policy). Let’s examine that idea.

The simulation model you construct will account for the risk profile (represented by this exceedance probability chart below) associated with your Current state of controls versus the Target optimized set of controls. For example, notice from the ransomware model that the Current controls’ risk profile implies that there is a 30% chance of exceeding $10M of loss that might arise from extortion, disrupted business and revenue generation, repair costs, legal penalties, and possibly damages to plaintiffs from stolen data. Of course, when you are prepared to submit your budget, the risk profiles you discuss should include loss contributions from other threats.

The Target controls’ risk profile demonstrates approximately 1/4 the probability of exceeding the same $10M. So clearly, eliminating the negative ROC controls did not increase the risk of loss. Overall, the loss exceedance for the Target control set is lower and shorter than the Current state of controls. You’re not in danger of committing moral hazard here.

Furthermore, if that $10M mark represents the insurance loss limit you have in place, anything beyond it could impact the money people’s treasury. You’ve demonstrated to the money people that your budget request supports the integrity of the treasury in an uncertain world.

Given this information, the money people have three alternatives before them, given the degree of risk they observe based on the budget you submit:

1. They could buy more loss limit from their insurance company.
2. They could ask you to consider implementing an expanded set of controls to reduce the loss exceedance further. Of course, these controls must also submit to the same evaluation process as your original set.
3. They could deny your budget and be willing to let the observed risk fit within their treasury reserves. We call this structured risk acceptance.

Remember that the financial officers of your organization have been entrusted to protect and grow shareholder value. By taking the approach outlined here, you demonstrate the leadership maturity of a director who thoroughly considers their duty of care before taking actions that would affect the officers’ concerns. Align your objectives to their objectives and speak to them in their terms, and you will improve the opportunity to fulfill your mission effectively.

We are excited to see you in our next webinar on April 5th at 2:00 PM ET - reserve your spot today!

Footnotes:

[1] The figures in this table are for illustration purposes only. They do not represent the exact costs and returns your organization would derive, nor do they represent general guidance on control capabilities that should actually be implemented.

[2] Moral hazard is the term insurance-people use to describe the situation in which people allow their knowledge of a risk transfer instrument (like an insurance policy or artificial restraint) to serve as a motivation for adopting behaviors that increase the probability or extent of an undesirable outcome that is addressed by the instrument. For example, having automobile insurance or living in a jurisdiction requiring seat belts might lead people to drive more recklessly. Being found liable for contributing to moral hazard generally nullifies the terms of formal risk transfer policies.

Thank you for reading. If you liked this post, please?share it with your network, and follow?Resilience?for more thought leadership to help you build #CyberResilience.

About The Author

Robert D. Brown III , Cybersecurity Risk Management Leader at Resilience .

Robert has over 25 years of experience in strategic planning and advising, working across startups, government agencies, and Fortune 100 companies. One of the masterminds behind our popular cyber risk quantification (CRQ) training series, Rob spent the last 25 years as a decision scientist and strategic consultant modeling complex risk in manufacturing, homeland security, pharmaceuticals, asset allocation, and more. He is also the author of “Business Case Analysis with R: Simulation Tutorials to Support Complex Business Decisions” (2018).