“What if a Colonial-type event happened to us?”

Published by Scott Kannry

Maintaining calm during the storm

After many of the large-scale cyber events hit the news over the past few years, frantic calls made from CEOs and Board of Director members to Chief Information Security Officers typically started with a question along the lines of “Could this happen to us?”  In response, CISOs typically provided some security metrics and KPIs supporting a belief that the organization was well protected, albeit followed with a reminder that more money for more controls would always be helpful.

That dialogue and approach is broken.  The Colonial Pipeline event further underscores the necessity of executives and security leaders to understand the business impact and financial implications of cybersecurity events, BEFORE THEY HAPPEN, as a key driver of prioritization and mitigation investment. This is especially critical in an era where organizations are rushing to digitally transform their enterprises, therefore increasing the likelihood and significance of more events of this type. Critical infrastructure industries are particularly prone to disruption when an event like this happens.

In a more evolved state, the conversation can go something like:

CEO: “I just saw the news about the large cybersecurity attack on one of our peers.  What if something like that happens to us?”

CISO: “Our cyber risk visibility dashboard indicates that a similar successful attack would be worse for us if it hit [X] part of the operation.  We’d likely need to replace about $10M of production assets, the revenue losses during the anticipated week of downtime would be approximately $50M, we’d be looking at approximately $15M of liquidated damage obligations to our key clients, and finally, forensics and other remediation efforts would probably total $5M.  That makes it an $80M event for us.  The good news however, is that I’ll show you how our controls map to that scenario and that we’re currently at Low Susceptibility to this type of an attack.  And if it does happen, our insurance recovery dashboard indicates that we’ll have approximately $65M of coverage available, for everything but the liquidated damage losses.”

CISO: “What else can I tell you?  Are you comfortable with all of that and in relation to the organization’s risk tolerance, or should we quickly act on any front?”

CEO: “Could you let me know how we could cut our anticipated downtime in half, and what it would cost to do it?  Seems like we should at least know what could mitigate the largest loss impact driver.”

CISO: “Absolutely, I’ll model that quickly and email you within the hour.”

That’s the type of perspective and insight that will drive organizations in the right direction, versus the previous exchange, which is symptomatic of an organization that will continue to be susceptible to large and disruptive events.

 

More than just an evolution, but a security portfolio revolution

Getting to an evolved state is not difficult, and it all starts with cyber risk quantification: understanding business impact and the financial implications of potential cybersecurity events.  The key to doing it right involves anticipating cybersecurity events that could happen to you and estimates of impact drivers of those events.  Taking it one step further, how the security control portfolio maps to the most substantial events, and how the organizations portfolio of security controls would cover (or not) the anticipated losses.

All of those components put together is what will enable organizations to have the visibility necessary to turn the tide to drive focus, prioritize effectively and mitigate successfully in the face of events like the Colonial Pipeline ransomware attack.

In regard to ransomware preparedness, organizational enablement has often been confused with increasing complexity and resources. This is however the exact opposite of the outcome one can achieve through a successful quantification strategy. In just a few hours, the CEO, CISO, as well as the entire security team can have visibility into the worst-case scenario in dollars and cents. You know how much is at stake, what controls provide the best return on investment, and exactly what steps you should take to strengthen cyber posture.

 

Book a confidential consultation with Axio’s ransomware modeling team.