logo
Effective strategies for turning cyber risk data into business insights

Effective strategies for turning cyber risk data into business insights

The Australian2 days ago
Business stakeholders, from board members and C-suite executives to regulators and auditors, seem to be looking for answers as to how they should view cyber risk in the context of their role.
'In today's AI-driven landscape, traditional methods of manually gathering technical cyber data points and attempting to report the same information to various audiences across business, technology, and cyber leaders are no longer effective,' says Ajay Arora, a managing director with Deloitte & Touche LLP. 'Organisations should embrace advanced analytics and tailored communication strategies to confirm that cyber risk insights are meaningful and actionable for each stakeholder group.'
'Board members are asking whether the company is exposed to cyber risks that they're reading about in the newspapers,' says Raj Mehta, a partner with Deloitte & Touche LLP. 'Many CIOs and CFOs are asking whether company investments in cyber security capabilities are aligned with the industry and peers. And regulators and auditors are asking whether the organisation has put the right tools and processes in place.'
As the face of cyber security for the organisation, chief information security officers (CISOs) face multiple challenges when it comes to answering these questions, be it the manual nature of data collection, the complexity of generating meaningful analytics or differing opinions and comfort levels when it comes to risk representation.
'Risk decision-making around cyber should be as credible, defendable, and trustworthy as financial statements,' says Ajay Arora, a managing director with Deloitte & Touche LLP. 'Finance teams collect data that is spread across different tools and processes in the organisation, and there is a clear methodology, framework, and understanding of what statements and reports like a balance sheet and a P&L are. That enterprise-wide understanding does not typically exist in cyber today, but it is where the industry is going.'
To get to the point where cyber is a standard part of the general business lexicon, it is essential for an organisation to develop a common assessment methodology for the risk-relevant data generated by cyber security tools and processes.
'Risks can then be quantified by consolidating and normalising data for processing through a common risk model,' says Mehdi Houdaigui, a principal with Deloitte & Touche LLP. 'The output of the model is then used for the purpose of creating detailed analyses across business units, regions, and functions in a way that is meaningful to different audiences.'
Below are three strategies to consider when building a foundational and trustworthy cyber reporting capability that enhances understanding for stakeholders.
Build a scalable cyber analytics foundation
The first step is to understand the audience and their use cases. Consider separating stakeholders into broad categories — for example, the cyber team, the IT team, and an extended business category — and then segmenting those categories further into different levels, such as executive, management, and operational.
When it comes to building a cyber analytics foundation, the first element to put into place is a metrics framework that incorporates the appropriate key risk indicators (KRIs), key performance indicators (KPIs), and the underlying data points to support each. For example, a reporting program that indicates workforce cyber resilience by identifying trends in failed phishing tests, or data loss event resolution. It might also provide supply chain risk intelligence by focusing on program governance and assessment coverage and remediation.
'To run a cyber metrics and reporting program, organisations will need to continually analyse the data sets collected from their portfolio of cyber and technology tools,' says Stephen Gathman, a manager with Deloitte & Touche LLP. 'From those data sources, an effective set of risk indicators can be produced as a foundation for communicating cyber-induced business risks,' he explains.
Next, using standard risk scoring methodologies, data transformation, and advanced techniques (such as AI and machine learning), develop a risk engine that can take cyber data feeds and translate them into indicators of business risk.
Once these foundational capabilities are in place, the organisation can work on maturing capabilities in three areas: effective storytelling that is customised to particular audiences, translating technical cyber risk into both business risk and financial terms, and linking the cyber strategy to the business strategy.
Confirm trustworthy data quality, models
Technology and application teams must parse through vast amounts of cyber data to address risks, which can lead to uncertainty in prioritisation of risk reduction efforts. Common challenges include conflicting or redundant data gathered from multiple data sources, mixed data structures and models leading to issues when merged, varied rating methodologies and scales that can lead to confusing results, and excessive metrics tracking that can produce unclear messaging in reporting.
'It is imperative for cyber analytics teams to build trust in the quality of the risk analytics and metrics being produced from the varied data sources by implementing consistent and transparent models,' says Duncan Molony, head of Cyber Security and Data Analytics at Corebridge Financial.
Some trust-related metrics include identity and access protocols that help leaders visualise increased attack vectors, or secure application development (DevSecOps) and tracking the use of secure code repositories.
Several steps can help address these challenges and develop a mature risk model:
• Deploy a common data model that houses data from multiple sources to maximise utility.
• Normalise the common data model to remove redundancy and achieve a centralised warehouse of risk data.
• Leverage a common risk scoring methodology to enable risk aggregation over multiple dimensions, such as business units or applications.
'Traditional cyber metric bottom-up reporting and cyber risk quantification (CRQ) in financial terms are increasingly converging to provide a richer context for decision-makers,' says Molony. 'This integration allows organisations to present a more comprehensive view of cyber risks, aligning technical data with financial impacts to enhance strategic decision-making.'
The goal is to end up with data that is accurate, complete, consistent, unique, and timely. This can then be aggregated appropriately for a particular audience.
'As cyber risk reporting moves up the chain within an organisation, the scope of relevant risk metrics narrows and more data needs to be aggregated at the appropriate level for the right audience or stakeholder group,' says Tiffany Kleemann, a managing director with Deloitte & Touche LLP.
'For example, those at the operational level may need to see technical data points, whereas those in the C-suite may require information to be aggregated and presented in business terms that reflect business risk, operational resiliency and disruption, or compliance risk. As aggregation increases, it is imperative to strengthen the foundation of data governance and data quality to build and sustain trust in cyber risk reporting,' adds Kleemann.
Provide actionable risk intelligence
'In Deloitte's experience, boards and audit committees often ask questions that fit into one of two buckets: risk exposure, or readiness and resiliency,' says Arora. 'They want to know how exposed the company is to cyber risk and then how ready the organisation is to respond should an incident occur.'
A leading way to measure and illustrate cyber risk is to build a series of persona-based dashboards and composite, outcome-oriented indicators that can provide actionable insight in a way that is easily digestible. Effective reporting and dashboards gauge levels of cyber risk exposure and resilience, helping the organisation to quantify its cyber posture via frameworks such as the National Institute of Standards and Technology Cybersecurity Framework.
In addition to decision intelligence, actionable cyber reporting can be used to translate cyber risks into the business terms typically used to discuss operational disruption, reputational risk, or financial loss. 'The output also provides cyber teams with the insight to break down items by dimensions, such as business units, brands, products, or regions so the information is meaningful for the owners who drive action in the business,' says Arora.
'Being able to slice and dice the metrics by dimension is what helps make the risk intelligence actionable,' says Gathman.
By leveraging momentum from strong quantification foundations and data models, the rapid advancement in AI and data collection is slated to enable streamlined identification and potential burndown of cyber risk. By pursuing these capabilities, organisations can enhance investment value in cyber tools and capabilities, while removing ineffective processes and technologies.
Isobel Markham, senior writer, Executive Perspectives in The Wall Street Journal, Deloitte Services LP
As published by the Deloitte US Chief Financial Officer Program in the June 14 2025 edition of The Risk & Compliance Journal in the WSJ.
Disclaimer
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ('DTTL'), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as 'Deloitte Global') does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the 'Deloitte' name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2025 Deloitte Development LLC. All rights reserved.
Orange background

Try Our AI Features

Explore what Daily8 AI can do for you:

Comments

No comments yet...

Related Articles

Alphabet slips after boosting guidance for capital expenditures
Alphabet slips after boosting guidance for capital expenditures

AU Financial Review

time4 hours ago

  • AU Financial Review

Alphabet slips after boosting guidance for capital expenditures

Alphabet reported better-than-expected revenue but said 2025 capital expenditures will be higher than previously forecast, intensifying pressure on the company to justify the investments it is making to keep up in the AI race. Shares slipped modestly lower in late trading after the search giant said capital expenditures would be $US85 billion ($128.7 billion), compared to the $US75 billion the company guided earlier this year. Bloomberg

China punished Australia's loyalty to America, Scott Morrison tells US Congress committee
China punished Australia's loyalty to America, Scott Morrison tells US Congress committee

ABC News

time5 hours ago

  • ABC News

China punished Australia's loyalty to America, Scott Morrison tells US Congress committee

Scott Morrison has appeared before a committee of the US Congress to implore America to "never become casual" about the economic threats posed by China and its willingness to weaponise trade. Pointing to China's "targeted and illegal trade bans and diplomatic estrangement" when he was prime minister, Mr Morrison said Australia had been punished for its loyalty to the US and now had many lessons to offer the Americans. And — without explicitly mentioning the up-ending of trade relationships caused by the Trump administration's tariffs program, or its AUKUS review — he argued for tighter ties between Australia, the US and like-minded democracies to better ward off any threat. "Above all, I would highlight the need to never become casual about the potential threat and to remain vigilant," he told the Select Committee on the Chinese Communist Party (CCP). "Strengthening and deepening the networks of US alliances and partners is critical to resilience and deterrence. This is as true in the economic sphere as it is in the security sphere." Mr Morrison was invited to give evidence before the bipartisan committee, which was formed in 2023 to assess the CCP threat and "develop a plan of action to defend the American people". Since its formation, it has been sounding alarms on America's economic dependence on China, particularly for mineral exports such as the rare earths widely used in modern technology. "China can so much as flick a switch and cause major damage to the American economy," the committee's top Democrat, Raja Krishnamoorthi, said. Mr Morrison told the committee China changed tactics after Australia's 2022 election, when the Labor Party defeated the incumbent Coalition. The CCP was now using "inductive engagement laced with charm and flattery" to try to manipulate Australia and isolate the US in the region. He said diplomacy with China would never lead to effective solutions. "We have to be clear-eyed about this and not pretend that somehow this is going to be resolved through discussion," Mr Morrison said. The committee's other witness, former US ambassador to Japan Rahm Emanuel, said: "Australia's response to China's coercion is the best example to try to replicate going forward." He argued America and its allies should form a new "anti-coercion coalition" with the "economic equivalent" of NATO's Article 5 clause, which states that an "attack on one is an attack on all". But he warned America's current trade policies meant it risked motivating a similarly united retaliatory response from its partners. He pointed to action taken by the EU after China imposed trade restrictions on Lithuania over the Baltic state's Taiwan policy. "The only time they've thought of deploying that unity now was with the United States because of how we're negotiating with the EU," he said. "So it was designed with China in mind, but … now may be deployed with us." The committee's bipartisan leadership praised Australia's refusal to fold in the face of "economic coercion" from China during Mr Morrison's time in government. They included tariffs on Australian barley, bans on products from Australian meatworks, halts on timber, coal and lobster exports, and a 220 per cent tariff on Australian wine. They were widely seen as politically motivated, including as retaliation for an Australian inquiry into the origins of COVID-19. The CCP insisted they were the result of investigations into Australian trade practices. At one point during Wednesday's hearing, Mr Krishnamoorthi held up a bottle of South Australian shiraz. "This wine has been called 'freedom wine,'" he said. "The pain of what was done, particularly to our wine industry, was real," Mr Morrison said. "Yes, there was some 'freedom wine' sold, but not enough to make up for that impact. "And so if you're going to stand up here, you have to be prepared to take a few hits in the process. But you're much more able to do that if you can take hits with your mates, and your mates have got to show up as well." Mr Morrison said he had "no doubt that the primary objective of the PRC's targeting of Australia during this time was to make an example of Australia as a key US ally in the region, to punish Australia as a warning to others". He said the formation of the AUKUS pact with the US and the UK was a key part of the response. A day before Mr Morrison's appearance, the committee's leaders released a letter they had written in support of AUKUS to Defence Secretary Pete Hegseth. "We must double down on the efforts that Beijing fears the most, including AUKUS," the committee's Republican chairman, John Moolenaar, told the hearing.

DOWNLOAD THE APP

Get Started Now: Download the App

Ready to dive into a world of global content with local flavor? Download Daily8 app today from your preferred app store and start exploring.
app-storeplay-store