• Risk Appetite Statement Importance

  • A risk appetite statement is important for CISO to align security with the business goals. The problem is many organizations don’t have a risk appetite statement or know how to establish one.

    You can start the risk appetite creation process by starting with a financial statement. The financial statement will show you exactly how the organization makes money. I’ll use a fictional organization as a example for this blog post.

    The fictional organization distributes consumer electronics and the financial statement breaks down monthly revenue for the organization as follows:

    • Web site sales: $150,000
    • Electronic Document Interchange (EDI): $900,000
    • Ecommerce Dept Processing: $250,000
    • Inbound Sales Department: $750,000

    Risk Appetite Questions

    The important questions to ask the executives is: How much risk are you willing to accept for these areas?

    Risk from this perspective might be downtime, degraded performance, breach, or critical vulnerabilities.

    The executives might respond that they have no risk appetite for the website being offline or adversely impacted. That means the organization is willing to invest as much as needed to prevent bad things from happening to the web server. Based on that, your formulate a plan for securing the web server.

    This might include:

    • High availability
    • Web application firewall
    • Intrusion detection and prevention
    • Data loss prevention

    Cost is important for you to consider also. For this example the annual cost for these protections is $350,000.

    Presenting Your Case

    You now need to get buy in from the executives for your plan to protect the web server. An approach might be by showing the following:

    • Web Server Annual Revenue: $1,800,000
    • Compensating Controls: $350,000

    Projected impact of the web server being adversely impacted might be based on customer records exposed in a breach.

    Let’s say you have 2,000,000 customer records and your research shows that the average cost per record lost in a breach is $165.00. That means that the financial impact of a breach web server is: $330,000,000.

    You now need to determine the likelihood of something bad happening to the web server. The current context of the web server is important. Let’s say you have a public facing ecommerce site that is upadated regularly with a basic firewall in place.

    The developers regularly update the site and there is no DevSecOps program or penetration testing that takes place to ensure the site is secure.

    A qualitative approach might indicate a high probability of bad things happening to the web server, but executives want actual numbers and not “high, medium, and low”.

    Based on your research of the threat landscape and the current context of the web server you arrive at there’s an 85% chance of bad things happening to the web server in its current state.

    You then communicate this to the executives:

    • The web server brings in an annual revenue of $1,800,000
    • There’s an 85% chance bad things could happen to the web server resulting in a cost of approximately $330,000,000.
    • We can secure the web server for an annual cost of $350,000

    Risk Appetite Decisions

    Once you have presented your case it’s up to the executives to determine if they want to invest that much into protecting the web server. A business decision like this is not the responsibility of the CISO.

    The executives may advise you to proceed with your plan, or ask you to outline a less expensive approach. In that case you will need to calculate the risks and trade offs of which protections you want to modify or remove.