An argument for risk surface’s leading role in corporate risk registers
By Richard Seiersen: Risk Management Author, Serial CISO, CEO Soluble

There are many things that you can't measure. But the great fun of what I do for a living is figuring out ways to measure things that people previously considered intangible.” - Bill James

Bill James built his life around baseball metrics. Much of that done as a night-shift security guard at a baked pork-and-beans factory. The beans must have been safe - leaving him to toil away for years on obscure baseball stats. His work eventually paved the way for the Oakland A’s to master an elusive intangible - “winning.”1 And it also paved the way for his lucrative career with the Boston Red Sox.

My co-author Doug Hubbard is also preoccupied with measuring intangibles. In keynotes he often dares audience members to come up with impossible to measure curios, “A thousand dollars to the person who gives me something completely immeasurable, completely intangible.” He hasn’t lost a bet yet, even when asked to measure things like, “a dog’s love.”  

Compounding Intangibility
Locked behind intangible words like winning, love and value sits data.  It’s data that is waiting to be framed and measured. This is particularly true with the intangible we call “risk”, especially cybersecurity risk.

Unfortunately, most security risk is left unmeasured. And if you look at the cause, it’s due to what I call “compounding intangibility.”  It’s taking intangible risk and obscuring them further with non-data language like “high, medium, low” or “red, yellow, green” etc. It’s an insidious process that moves risk management further out of reach of CISOs and other accountable parties.  

This is a huge problem.  And our software defined world makes it worse. It’s a world that digitally moves volumes of value into third party hands. And yet we are still accountable for loss outcomes. We call this new type of risk (digital risk that moves outward in volumes) “Risk Surface.”

Risk Surface On The Rise
Risk Surface is a function of exponential exposure. Digital transformation2, multi and hybrid cloud, mobility and the need to digitally compete drive risk surface. Just imagine over 20 billion devices connected to the internet of things by 2020!  And that’s just for starters!3

How should companies be accounting for, or more specifically measuring, what this change in risk will mean to them?  It takes data:

  1. How much are you currently exposing that is within your direct control?
  2. How much is being pushed to your third parties?  
  3. How much can you infer is then being pushed to their third parties or N-parties?  

This motion of spraying value across third parties should move Risk Surface to the top of corporate risk registers.  New investments in visibility, mitigation and transfer must be considered. The alternative is a recipe for disaster that bodes to turn unmanaged risk into risk realized - aka breach.  

Getting To Know Risk Surface
To wrap your mind around this new distinction, I encourage you to read the new “Risk Surface” research being produced by the fine folks at the Cyentia Institute.  They are the ones who originally drove Verizon’s Data Breach Investigation Report. And they are backed by terabytes of data coming from RiskRecon’s massive third party data sets.  It’s a great place to start your movement from intangible and immeasurable to visible and managed.


1Read or watch “Moneyball”