U.S. Telco Giant Makes Cybersecurity Decisions 60% Faster by Quantifying the Dollar Impact of Cyber Risks

One of the world’s largest communication technology giants was justifiably concerned about potential security breaches. The company, which has tens of millions of customers and thousands of network points, records a whopping one billion plus threats per day. So, how do they determine which of these risks need the most attention and investment? By quantifying them in terms of dollar impact.

The Journey Towards a Single Risk Cyber Score

As cybersecurity evolved into a top 3 business risk, boards and leadership teams wanted more insights than what a traditional risk heat map provided: “What is the financial impact of a potential data breach?” “How much is the cost of remediating the risk vs accepting it?” “Are our cybersecurity investments proportionate to our risk exposure?”

The only way to answer these questions was to quantify the company’s cyber risks in monetary terms. So, the board and leadership team challenged the CISO to come up with a single risk score for each cyber risk, represented in terms of dollar impact.

That’s when the CISO turned to MetricStream for a solution. Today, MetricStream Cyber Risk Quantification is helping the company transform cyber risk data into a single risk score that’s quantified in terms of dollar impact. These actionable insights have accelerated decision-making time by 60%. Cyber teams are better able to prioritize investments, while boards and leadership teams are able to provide stronger oversight of cybersecurity. This single cyber risk score is both credible and real-time, and the cyber risk taxonomy is mapped on the relationships between cyber risks, assets, business lines, covering the 100+ systems monitoring the security posture.

Improved Understanding of Cyber Risk Exposure

By leveraging MetricStream’s risk quantification engine with its proprietary algorithm, the company is able to compute the dollar impact of each cyber risk based on the FAIR methodology. The result is a targeted understanding of which cyber risks are most important and need the most attention. The in-built API framework automatically integrates cyber risk, threat, and vulnerability data from 100+ systems inside and outside the company to calculate risk exposure in financial terms.

Greater Consistency in Risk Management with One Risk Score

MetricStream has helped the company harmonize its risk management techniques and methods by driving towards a common risk score across cyber, operational risk, and resilience teams. This score is based on consistent factors and grounded in a business context.

This combined risk score helps cyber teams accurately weigh the cost-benefit of either a single risk mitigation strategy or a combination of them. It also helps them increase the agility and speed of remediation efforts.

MetricStream also provides a top-down and bottom-up 360-degree view of cyber risk. Top-down views take risk assessment information from the business in terms of dollars—for example, how much it costs to keep an order processing system up and running. Meanwhile, bottom-up views provide data on the costs of mitigating vulnerabilities.

Challenge

• Insufficient insights on the financial impact of cyber risks for the board and leadership team
• Inability to prioritize investments based on quantified impact of cyber risk
• Low visibility into the status of cyber investments and action plans and slow decision-making with leadership
• Distributed, disconnected data from 100+ internal systems and 1000s of suppliers with no common risk taxonomy
• Lack of a 360-degree view of cyber risks across internal and external systems
• Quarterly risk reporting ineffective to keep up with today’s volatile cyber risk environment

Better Prioritization of Cyber Investments

Decision-makers now have dynamic insights on the monetary impact of each cyber risk weighed against the cost of remediation. This helps them prioritize cybersecurity investments to ensure maximum bang for their buck. For example, if they can conclude that the impact of a potential breach is, say, $10 million, while the cost to fix it is $5 million, then they can decide to invest in remediation. But if they know that the remediation would cost $20 million—double that of the breach itself—they may decide to accept the risk, or transfer part of it through insurance.

Stronger Alignment Between Cyber and Business Priorities

By synchronizing business and technology perspectives by leveraging cyber risk postures on top 100 risk statements from 100+ systems in a single risk score, MetricStream has enabled the company to align their cyber investments and risk mitigation actions with business priorities.

The risk quantification methodology is a self-tuning and business-harmonized model that can adjust factors as they change. The focus is on measurement: standardized, normalized, and calibrated against business benefit.

Today, the company is thinking of expanding their risk quantification methods to other areas of operational risk management, financial risk management, and SOX compliance. The more quantified their risks, the more effectively the CISO and other risk officers can communicate with the board and leadership team.

“Let’s look at the business value this organization now has: Risk score is based on factors and quotients, grounded in business context, dollar impacts, and remediation delivery; a framework that allows the company to prioritize investments in cyber – in the context of dollar benefits through a common cyber risk framework for decision-making; and a methodology that drives a self-tuning and business – harmonized, scalable method – that can adjust factors as they change.”

- Executive Director, Governance, Risk and Compliance, at the company