How do we choose the solutions we embrace?

At the core of the CISO's work lies the Risk Analysis.

There are frameworks to help with this, like the FAIR, NIST, ISO 27001, or the OCTAVE. Regardless of the one you use, at the end of the day, you will end up with a list of risks characterized by their impact, likelihood, risk level, estimated loss, recommended actions, and possible mitigation strategies.

All the frameworks propose prioritizing and analyzing the benefit/cost of implementing measures to mitigate every risk. This analysis requires a detailed evaluation of the impact of the risks in all its possible direct and indirect implications, which is typically summarized in the ALE (Annual Loss Expectancy) originated by that particular risk. It also requires to analyze the different alternatives to mitigate the risk and their associated cost, including the annualized value of all direct and indirect costs over the whole life cycle of the proposed method of mitigation (AMC: Annualized Mitigation Cost).

Business owners and executives will receive this analysis from the CISO’s team and will be in charge of making decisions in situations where a difficult compromise must be made between the risk and the cost of mitigation.

The possible treatment options for risks are: 

• Mitigate: apply security controls or technological measures to reduce the likelihood, the impact, or both.

• Transfer: Outsourcing the risk, typically to Insurance

• Avoid: Remove the risky process, assets, or activity.

• Accept: Accept the risk (typically when impact and likelihood are low or the mitigation cost is not justified and avoidance is not permitted by the business.

An intuitive and simplified way to approach the prioritization and decision-making about treatment options is to represent the Risk vs. cost of mitigation with a chart, where the X-axis represents the RALE (Reduction in the Annualized Loss Expectancy) and the Y-axis represents the AMC (Annualized Mitigation Cost.)

We can categorize this chart in 4 quadrants as follows:

Quadrant 1: Low RALE - High ACM: It isn’t worth mitigating or avoiding. The clear choice here is to accept or transfer to insurance. We labeled this quadrant “INSURANCE”

Quadrant 2: Low RALE—Low ACM. In this quadrant, you can apply transfer to insurance, accept, or mitigate treatments, depending on your organization's risk appetite and tolerance, and the budget available. There is not much to worry about here. We labeled this quadrant “RISK APPETITE” 

Qadrant 3: High RALE - Low ACM. In this quadrant, you clearly want to apply mitigation as you have efficient and cost-effective ways to do it, and the ROSI (Return on Security Investment) is clear. We labeled this quarter “BUSINESS AS USUAL”

Quadrant 4: High RALE—High ACM. Here are the challenges: high impact, very difficult to accept, but high cost and complexity of mitigation. Insurance won’t take it, and avoidance will jeopardize the business. You involve the business leaders in making decisions about the treatment to give to this risk. We labeled this quadrant “CISO’s HEADACHE,” but it is as much a Business Leader's headache as a CISO's one.

The fourth Quadrant, CISOs' headache (and also Business Leaders' headache), is the reason why we created ThousandGuards. We listen to the CISOs regarding their problems in this quadrant, study them, and work to identify innovative cybersecurity startups that provide effective, easy-to-use, scalable, and affordable solutions for some of these risks that otherwise would be complex, costly, and ineffective to mitigate.

Then we facilitate trusted relationships between the startups, the CISOs, and service providers to build the use cases that will make these challenges easy to address.

Calls to action:

As a CISO or cybersecurity professional, If you would like to share some of your CISO’s headaches with us, we will be happy to listen, and even more so if we could help.

MSSPs and cybersecurity system integrators, you are welcome to add our startups to your portfolio and actively participate in our initiative to address the CISO’s HEADACHES.

If you are an innovative cybersecurity startup with the capacity to mitigate one of the CISO’s HEADACHES, we will be pleased to learn from you and consider your inclusion in our portfolio