Today, one of the most common discussions I have is “How do I qualify the cyber security risk to my board?” The security industry is very good at being able to define the type and scale of threats active today, and indeed with projects such as CISP, companies are starting to share intelligence with each other about the attributes of real time attacks they are seeing. Yet, we still have a major hurdle to tackle, which is the business impact that comes from incidents. While we continue to see any breach as a failure we will continue to keep the business impact of an attack a closely guarded secret. Legislation, such as the disclosure laws in the U.S. (which the EU is looking to repeat at some level in the proposed Network and Information Security directive) mandate the disclosure of what personally identifiable data was taken, yet this is not the impact, simply one of the potential catalysts of impact. Continue reading »