Improving cyber defences costs money, which you normally have to justify with a corresponding reduction in risk.
Accountants want to see a return on the investment (RoI) — a quantified risk benefit, which means measuring the risk before and after improvement. But risks can’t be measured, only estimated, so how can you convince your investment board to fund your cyber risk improvement programme? Here are three ways that work.
1. Reduce the hidden costs of cyber risk.
The true costs of cyber risks are mostly absorbed within budgets. They distract managers, divert resources, annoy customers, and erode profit margins. Only spectacular and badly managed cyber incidents hit the headlines. The vast majority are kept quiet to protect reputation. So, the first step towards that RoI is to assess the aggregate cost of all minor cyber incidents – those DDoS attacks, investigations following detected intrusions, clean-up of infected laptops, emergency changes to firewall rules, and temporary shut-downs to prevent data exposure. These cyber costs are equivalent to the losses that insurers avoid by imposing a policy excess on your private insurance. This is the amount that stops you claiming for minor scrapes on your car, or small damp patches in your ceiling. Once you move the focus away from catastrophic cyber losses and towards the higher frequency end of the risk spectrum, the cyber investment looks more like a welcome case of cost reduction.
2. Join forces with proposals for growth, instead of competing for the same funds.
Requests to fund risk improvement usually have to compete with investment proposals for business growth. Pessimistic estimates of what might be lost if the worst happens are compared with optimistic forecasts of future income streams. Proposals for growth usually quote the best case and use words like ‘will’, whereas cases for risk improvement quote the worst case with words like ‘might’. To overcome odds stacked in favour of growth requires a smarter approach. Risks introduce huge uncertainty to achievement of revenue and profit forecasts, so improvements in risk ought to help shift outcomes from low and disappointing to high and successful. Instead of competing for the same funds, present your risk improvements as integral parts of growth proposals, providing an option to spend a bit more to reduce uncertainty, improve the chances of achieving even higher financial targets, and avoid regret.
3. Express risk as a theoretical or ‘pure premium’.
Insurers convert risks into annual premiums. It’s their way of combining all the possible types, sizes and probabilities of loss covered by a policy into a single figure. Actuaries define ‘pure premium’ as the area under a risk distribution curve known as the Exceeding Probability (EP) curve. It’s a plot of the probability that any given monetary loss value might be exceeded. If you generate an EP curve for your cyber risk, including all possible consequences, the RoI becomes a reduction in this notional premium.