Rod Beckstrom, Founding Director of the U.S. National Cybersecurity Center
This month, we spoke with Rod Beckstrom, founding director of the U.S. National Cybersecurity Center, who will be discussing at the summit the CyberVaR metric he co-developed and will explain how IT security executives can use CyberVaR – which is one of the first metrics to tangibly measure a company’s value at risk related to cybersecurity issues.
“As an industry, we’ll make big strides in next five to 10 years in making this a reality. Most CEOs have no idea what their cyber exposure is,” says Beckstrom, who co-edited a book on the value-at-risk model when it was first used in financial services. Now, he says, he’s helping to spread the word on using the VaR metric in the cybersecurity space so businesses can learn to be more proactive, rather than reactive, to their security investments. Which is precisely why we’ve invited Beckstrom to speak at the Black Hat Executive Summit December 8-10 in Scottsdale, AZ.
The content of the summit is designed for CISO, CIOs, and CTOs to actively engage in conversations and working groups to not only better understand all of the peripheral issues that are impacting their abilities to stay ahead of the latest threats, but also to help hammer out best practices that will benefit the industry. One of those best practices is the CyberVaR metric, which is a risk estimation methodology that provides top management with a statistical probability to understand the overall cyber security risk of an enterprise. Beckstrom says companies can also leverage their existing enterprise risk management framework to enhance the results.
With such a formula, business executives will better understand how much value they’re likely to lose to cyber attacks over a given period of time. It also helps answer the ever-present question of how much to invest in IT security, and how much that investment will impact and reduce risk to the company’s value.
So far, there hasn’t been a reliable metric for measuring risk to the value of a given business. Beckstrom says some businesses are already experimenting with this metric and that he expects it to be useful from a broader perspective within a year, with refinement continuing for many years. He is also working with Pricewaterhouse Coopers on developing a practice for addressing these services.
Beckstrom explains it this way: The CyberVaR model can be used to address what the minimum expected loss would be over a year of business operations. For instance, XYZ Company has 10 million clients and 10 million credit card numbers, and it’s already known that the cost of exposure to each name is $216 (in the U.S.) or a $2.1 billion exposure. “Just tallying an organization’s exposure is a radically new idea for many of them,” Beckstrom says. The next thing to do is calculate the probability of loss. There’s already a probability of loss in insurance policies, so, for example, if a company is ensuring $300 million in value, the premium is about $6 million, or about 2%. So, says Beckstrom, for just hard costs alone, there is about a 2% to 3% probability a company will get hit in a given year. If this level of expected minimum loss is too high for the CEO, he or she might choose either to buy cyber liability insurance to reduce that exposure or to invest more in security efforts to lower expected losses.
“The C suite will get this very quickly,” he says. “In financial services, they already have to do this every day [to measure financial investment risks].”
Discussions on this metric began to take shape at this year’s World Economic Forum in January, and the advisory board there is looking at how it evolves next year. As Beckstrom explains, the WEF isn’t a standards body, so someone like NIST could potentially become a place for standards to be discussed.
For estimating IP losses and other general business losses, the problem is obviously complex. Tools, techniques, and practices will need to be developed to help close the security gap so that this valuable and potentially game-changing concept can be applied in practice. That’s where events like the Black Hat Executive Summit come in. And, when you think about it, can you afford not to know your own CyberVaR score? Register for the Black Hat Executive Summit December 8-10 in Scottsdale, AZ.