IBM Security this week launched a service through which it will work with IT security professionals to assess the business risks cybersecurity vulnerabilities represent.
Julian Meyrick, vice president for IBM Security, said the Risk Quantification Services from IBM will help cybersecurity teams assess cybersecurity vulnerabilities by adding more business context.
In addition to leveraging IBM consulting experience, the service applies the Factor Analysis of Information Risk (FAIR) methodology, an open international standard for cyber risk modeling.
IBM is also making use of cyber risk management software developed by RiskLens along with analytics tools that IBM applies to enable organizations to make optimal business decisions.
The services will evaluate not only security issues but also the business risks associated with deploying new technologies, making strategic business investments and re-engineering business processes, said Meyrick. The IBM service can also be applied to merger and acquisition targets to enable organizations to better determine what the true value of an asset might be, given any cybersecurity concerns that might be uncovered.
IBM via the service provides cybersecurity leaders with the financial analysis required to communicate more effectively with business leaders, Meyrick noted. The service calculates both the probability of a security event occurring and the potential level of disruption, including the total cost to the business. IBM consultants will also provide risk mitigation recommendations based on the potential impact and the cost of reducing those risks.
Cybersecurity teams have been trying to raise the overall acumen of business leaders for years now, often with mixed success. Much of that issue stems from the simple fact that every business decision comes with some level of risk. Business leaders, however, have been unable to balance cybersecurity risks against any potential gains for the business. In the absence of that analysis, there is a tendency to move forward on projects without really understanding how attenuating cybersecurity issues might impact the business.
IBM, in effect, is making the case for a more traditional business assessment of cybersecurity risks that IT security teams are typically not able to make, either because they don’t have that level of expertise or they don’t understand how the business operates.
Most business leaders are also likely to put more credence behind a professional business audit than they are a simple list of potential security threats. Business leaders continually balance risk versus opportunity, so most of them want to know specifics such as how much a ransomware attack would disrupt a digital business transformation initiative, for example. Once a potential cost is ascribed to that risk, a business leader is then able to determine how much to allocate to mitigate that potential risk.
All security risks to a business are not equal. Organizations need to determine where to focus limited resources to get the most out of their security investments. Otherwise, there always will be resistance to making security investments that don’t have clear returns on investment (ROI).