In this time of digitalisation, with more employees, suppliers and third parties opting for virtual meetings and transactions - IT, security and cyber teams have become hyper-vigilant about protection of sensitive and regulated information. It’s a challenge.
In previous posts on
Risk Quantification, and how
2020 is changing the way we 'Do Risk and Resilience' forever, we focused in part, on how to take a 360 degree view to prioritise cyber investments based on an operating risk score worked out with the business. The score is based on multiple factors, in
the context of business processes, current events and likely future events, network use and user behaviors with characteristics of data. Very timely given our current “New Normal”.
This post doubles down on how to do this using the concept of a Digital Impact Chain with the business to quickly converge on what is important based on the business impact - and use that knowledge to prioritise investments.
What is the Digital Impact Chain?
First of all - it’s simple. It’s easy to use with your business sponsor or process owner. Secondly - it keeps you both focused on what matters. It makes sure you align with the real impact, in $ terms, to the business, of a threat that is so technical or
complex, it is (often) too difficult to try to explain. And thirdly – it is required in order to get a good risk quantification score.
While these simple impact equations are something that security teams indeed know are required, many have had difficulty connecting the dots with the business due to technology complexity, language, and urgency. If teams could connect these dots and keep
them current and relevant with the business, investments in security and cyber team size, incident response processes and technologies, and other playbooks would be proportional to the potential impact of a failure to the business. As we know, that’s not always
the case, especially in a crisis.
Why Use the Digital Impact Chain?
Let’s take an example to show how this simple tool can be highly helpful. Take a telecom company where payments are accepted to provision devices such as cell phones, to pay a monthly bill on their main website. With the pandemic and growing digitisation,
the number of firms and individuals using this service grows significantly. Improvements may be introduced rapidly in response to growing demand and the need to stay competitive. Change increases the likelihood that something may break, and more complexity
increases the attack surface. The security team may know that more investment in tools, anomaly detection, or other forms of monitoring may be required to strengthen controls and block threats. The timing and deployment of security investments may be delayed
while improvements are rolled out, with increased risk - and why? Because it is too difficult to quantify the risk in terms of dollars, supported by a score that compares to other investments.
So, to get at the heart of the matter, security analysts must ask a simple question: what is the $ daily impact of not being able to receive payments on this site? They know it is significant but may not know the magnitude, nor necessarily have examples
of previous incidents and corresponding $ impacts, losses or near misses. By having your business sponsor and the security analyst use the Digital Impact Chain as part of their collaborative analysis – to be updated when changes are being designed and rolled
out – teams can work proactively to prioritise investments. Security analysts strive to keep those impact equations nailed down and current with the business.
Summary and Call to Action
To reiterate, it is absolutely critical to have a simple, straight-forward depiction like the Digital Impact Chain that you can share with business sponsors to agree on what really matters.
Remember – we use this tool so that we can prioritise cyber actions, whether it is something as granular as an unpatched vulnerability, or weak access control – in terms of the assets and processes that have the largest business impact and in $ terms.
Being able to do this in a clear and sustained manner is critical, especially when reacting during a crisis. Having this kind of simple diagram can be fundamental when prioritising with your business stakeholders.