2018 Intelligent Reporting Summit Q&A: The Movement to Quantify IT Risk

Sovos
September 17, 2018

This blog was last updated on March 11, 2019

The information technology (IT) and risk departments in most organizations have generally had little to do with each other outside of specific tasks. However, now that some of the biggest potential risks companies face involve data security, a new effort seeks to help IT and risk experts speak a common language, coming together to quantify the risk involved in a potential data breach.

Katie Crammer is Director of Security Platform Strategy at Verizon. She will be a featured speaker at the 2018 Intelligent Reporting Summit in Denver in October, and shares her thoughts on marrying IT and risk management.

Sovos: It’s pretty clear what IT does, but what do risk experts do for a company?

Katie Crammer: Risk experts look at the financial exposure associated with all the business dealings a company undertakes, and risk management varies greatly from industry to industry. In a traditional risk office, risk experts are in charge of measuring risk and ensuring a company has appropriate coverage for any measured risk it might take. For example, mergers and acquisitions. Or real estate management, such as building facilities in flood plains. There’s also a human resources component that looks at risk of lawsuits, labor issues and other potential problems with employees.

Sovos: But despite the obvious dangers involved with data breaches, risk experts and IT professionals have not traditionally had a relationship?

Crammer: You used to have an IT security office in the basement staffed by four to six nerdy-looking dudes with four to six monitors each watching network traffic. Then, there was the risk office with financial staff in another part of the building, and the two never met.  We’ve seen that start to shift but it’s still largely true that there’s very little communication.

Sovos: Part of what you’re trying to do is get IT and risk interests in on the same page. How does that work?

Crammer: They have to have a common language to even discuss the problem. That common language is dollars. They need to answer some difficult questions: What does my risk translate to in dollar value? Do I have insurance? How much is it going to cost me if I am breached? There is a lot to consider, including: legal fees, restitution payments to victims, reputational damage, increased governmental and press scrutiny among other things.  

Sovos: And it’s your goal to enable the parties involved to quantify that somehow?

Crammer: It’s difficult to get an exact measurement of risk here and we have no way to assess all of that today. The industry is not that mature. However, after some high-profile breaches all companies are now required to report if they’ve been breached and divulge how many records they lost. Insurance company records show how much a company paid out. So we know who has been breached and roughly what it has cost them. From that, we think we can develop an increasingly accurate equation by analyzing historical data. In developing that equation, we’re championing a common measurement for risk posture and threat level.

Sovos: How can the development of an equation that can quantify data security risk benefit the departments involved?

Crammer: When they go to ask for an investment from the CFO or Board, cybersecurity people walk into it with few tools in hand to support the ask because they have no way to quantify the return on investment. We need to be able to translate their requests into a future potential cost savings if the company is breached, multiplied by a probability of that happening. If somebody could go in and say a certain amount of risk exposure requires a certain level of security investment, everybody in the organization, (particularly in the risk office and IT areas) would benefit. We can’t do that today, but we’re working on it.

Sovos: What kind of progress have you made?

Crammer: We launched the first risk model in April. We partnered with four other industry leaders. It’s not just about coming up with a model. We need input to run the model and understand the specific risk each organization has. We need to go to organizations and say here’s how you use the model on yourself.

Sovos: What kind of response have you had from companies so far?

Crammer: We’re definitely having to evangelize. Risk management for cybersecurity is the buzzword of 2018. People think the idea makes sense, but then they see what it means to execute. You have to be willing to stand your company on the scale, and not everybody is going to like what it says. We have beta customers we’ve been working with and they’ve asked lots of good, valid, and relevant questions. There’s the occasional response of “this isn’t meaningful for our business model” or “here’s why it’s not relevant to me” but it’s been a mix. CSOs either love it or they hate it.

Take Action

Katie Crammer has much more to share about data security and risk. Discover more at the 2018 Intelligent Reporting Summit. Plus, use code 2018GCS10 to receive 10% off your registration!

Sign up for Email Updates

Stay up to date with the latest tax and compliance updates that may impact your business.

Author

Sovos

Sovos is a global provider of tax, compliance and trust solutions and services that enable businesses to navigate an increasingly regulated world with true confidence. Purpose-built for always-on compliance capabilities, our scalable IT-driven solutions meet the demands of an evolving and complex global regulatory landscape. Sovos’ cloud-based software platform provides an unparalleled level of integration with business applications and government compliance processes. More than 100,000 customers in 100+ countries – including half the Fortune 500 – trust Sovos for their compliance needs. Sovos annually processes more than three billion transactions across 19,000 global tax jurisdictions. Bolstered by a robust partner program more than 400 strong, Sovos brings to bear an unrivaled global network for companies across industries and geographies. Founded in 1979, Sovos has operations across the Americas and Europe, and is owned by Hg and TA Associates.
Share this post

future of tax and compliance
North America
June 6, 2024
Observations and Predictions: The Future of Tax and Compliance

This blog was last updated on June 6, 2024 When I became the CEO of Sovos one year ago, I knew that I was stepping into an innovative company in an industry primed for a seismic transformation. However, even with this knowledge in place, I must admit that the speed and scope of change over […]

motor insurance taxation in Italy
IPT North America VAT & Fiscal Reporting
September 26, 2024
Taxation of Motor Insurance Policies: Italy

This blog was last updated on September 26, 2024 In Italy, the insurance premium tax (IPT) code (which is being revised as of the date of this blog’s publication) and various other laws and regulations include provisions for taxes/contributions on motor hull and motor liability insurance policies. This article covers all you need to know […]

unclaimed property compliance
North America Unclaimed Property
September 25, 2024
The SMB’s Guide to Unclaimed Property Compliance

This blog was last updated on September 25, 2024 Unclaimed property compliance is often overlooked by small businesses, with many mistakenly thinking it only applies to large corporations. But this misconception can lead to serious financial and legal trouble. All businesses, no matter their size, must follow the same state regulations when it comes to […]

Minnesota Retail Delivery Fee
North America Sales & Use Tax
September 23, 2024
Understanding the Minnesota Retail Delivery Fee

This blog was last updated on September 24, 2024 If you are fulfilling a Minnesota Retail Delivery Fee, you should be double checking that you are considering all possible jurisdictionally-imposed fees due on the transaction. Depending on where you are delivering, you may need to collect a fee just for making the retail delivery itself! […]

What are Continuous Transaction Controls (CTCs)?
E-Invoicing Compliance North America VAT & Fiscal Reporting
September 20, 2024
Continuous Transaction Controls (CTC): The Future of Compliance

This blog was last updated on September 20, 2024 One key development shaping the future of tax compliance is the rise of Continuous Transaction Controls (CTCs). CTCs represent a shift in how governments monitor and enforce tax compliance, requiring businesses to submit transaction data to tax authority systems on an ongoing basis.  The models differ […]

need for clean core
North America Tax Compliance
September 18, 2024
SAP: Keep the Core Clean for Tax and Compliance Part II

This blog was last updated on September 19, 2024 In the first blog in our series, we introduced SAP Clean Core concept and how much is being made about its impact on business, specifically the ability to customize an ERP to meet operational needs. For part two, I’d like to address how businesses can use […]