December 6, 2022
Security and fraud leaders need to speak the language of the board to translate security and fraud risks into monetary risks to the business  Most of us in the security and fraud fields understand the importance of working with key stakeholders within the business. What we might forget sometimes is that these people don’t necessarily speak…

Security and fraud leaders need to speak the language of the board to translate security and fraud risks into monetary risks to the business 

Most of us in the security and fraud fields understand the importance of working with key stakeholders within the business. What we might forget sometimes is that these people don’t necessarily speak our language. They are, however, intelligent and analytical in their own right. If we can learn to communicate in a way that they can understand, internalize, and act upon, it serves to benefit us tremendously.

Given this, learning how to speak the language of the business seems like a worthwhile investment of our time. For example, understanding what resonates with executives and the board can help us with a variety of things: obtaining the necessary budget, achieving the required buy-in, and showing our value as a team, among other things.

Once we decide to make an effort to communicate better with executives and the board, how can we effectively implement that change? For starters, it helps to remember that executives and the board are primarily monetarily motivated. I don’t mean that in a negative way – they need to ensure that the business makes a healthy profit and that the business does not incur unnecessary risk, expenses, and/or losses. As such, learning how to translate security and fraud concepts into monetary risk goes a long way towards effectively communicating with higher ups.

As it happens, we are also entering the time of year when many people do holiday shopping – much of it online these days. That makes it as good a time as ever to focus on the digital channels (web and mobile) that our online applications use. As security and fraud professionals, we know that we need to defend our applications against bots and fraud. But how can we broach the topic with a business audience?  What if we approach the topic as an assessment of various different monetary risks to the business?

Let’s take a look at eight points that could impact the business and how to discuss that impact in the language of the business:

● Reputation damage: After Account Takeover (ATO), some customers may lose trust in an online application. This, as you might expect, results in lost revenue.  But just how much lost revenue exactly?  That is the question, of course.  It requires some effort, but digging up the data required to understand how much money is being left on the table by lost confidence is a great way to communicate the risk of reputation damage to executives and the board.

● Fraud losses: Fraud can have serious economic consequences: online fraud losses are projected to exceed $48 billion per year by 2023, according to a report by Juniper Research.  Getting a handle on just how much cost is being sunk into fraud losses can be a great way to justify the budget required to mitigate that risk.  With objective metrics in hand, that discussion then becomes a simple Return on Investment (ROI) calculation.

● Data theft: In many jurisdictions, theft of customer and other PII data may come with disclosure costs and regulatory fines.  This is in addition to the reputation damage these types of incidents cause, of course.  Calculating these costs can help make the argument that steps need to be taken to mitigate the risk posed by data theft.

● Investigation costs: After a security incident, bot attack, or fraud event, enterprises incur serious investigation costs.  In particular, when learning of an issue after the fact, the team needs to scramble to find the appropriate data sources, investigate what happened, and piece the puzzle together. If there is a lack of visibility, this challenge becomes even more time consuming and costly. While it is a complex undertaking, putting together gaps in visibility, translating those gaps to added investigative cost, and understanding the overall per incident cost to investigate and respond can go a long way towards justifying the budget to address these issues.

● Infrastructure costs: Some people might not realize that bots are responsible for up to 40% of all online traffic and are a leading cause of cyberattacks, according to a report from Aite-Novarica Group. Obviously, that means that a decent percentage of your infrastructure costs are being spent on serving traffic to automated requests that are not coming from your legitimate customers. Understanding how much this costs the business is a great way to communicate the risk of bot attacks to executives and the board.

● Performance costs: When bots attack, the performance of your online application will likely suffer. Keeping an eye on how many users abandon the site and thus how much potential revenue is lost is essential when looking to communicate performance costs upward.

● Manipulating inventory: Some attackers are particularly good at using bots to manipulate inventory. When attackers take your inventory away from your legitimate customers, there is a cost to that. Understanding this cost is something that will likely speak well to higher ups.

● Customer support costs: With Account Takeover (ATO) and other types of attacks, there is often a support cost incurred when users get locked out of their accounts.  This cost is often, unfortunately, overlooked, but it is one that executives and the board will also likely want to understand.

Speaking the language of executives and the board is important. Security and fraud leaders that learn how to translate security and fraud risks into monetary risks to the business generally have more success obtaining budget, getting buy-in, and communicating value to higher ups. It does take some effort to be able to do this, though it is a worthwhile investment.

Read: Actions Enterprises Can Take to Combat Common Fraud Types

Read: What the Titanic Can Teach Us About Fraud?

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect – EMEA and APCJ at F5. Previously, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.Previous Columns by Joshua Goldfarb:Tags:
Source