Many vendors and organizations alike see opportunity and necessity in the nebulous realm of cyber risk quantification. As we’ve seen before, risk quantification and security risk modeling are nothing new to the world - dating back to sailing ship voyagers, as CyberSaint Chief Product Officer Padraic O’Reilly pointed out, and catalyzed by insurance organizations. Yet quantifying risk in the digital world has proven a unique challenge for many reasons - the first of which, as Padraic points out, “there simply isn’t enough data to quantify and understand cyber risk as we would other forms.”
Now, that is not to say that the effort of measuring cyber risk is not worth it. In fact, it is more critical than ever; we live in a world more driven by and saturated with data than ever. With organizations seeing valuations and revenues slashed in the face of data breaches and when other cyber events occur, improving cyber resilience is paramount. We are seeing more and more that executive leadership and Boards of Directors are requiring more insight into cybersecurity posture, and CISOs must present cyber risk in financial terms to inform decision-making.
O'Reilly and CyberSaint advisor Raphael Yahalom note that the type of cyber risk data is key. For cyber risk quantification, it is a matter of the threats and eventual breaches and what constitutes an event - is a data breach an event? To what extent versus a phishing attack? Determining where each form of a cyber attack or event fits on the nefarious spectrum of actions against an organization, as well as mapping these events and controls put in place to mitigate those events to business objectives, are the questions that actuaries and CISOs alike are challenged with when distilling cyber operations into risk models.
The highest level function for cyber risk quantification further bridges the gap between business and technical leaders. Boards of directors and executives are trained to quantify risk in their sleep, and yet these new digital risks facing them are a completely different embodiment.
The top priority for any information security leader when considering how they should approach quantifying cyber risk is ensuring that the data they collect has the utility to executive management to inform the higher-level strategy for the organization.
Currently, 60% of business leaders say that the information delivered from CISOs is not actionable, and 66% of Boards do not understand the cybersecurity data provided by information security leaders (Gartner). In response, when deciding how your organization will begin quantifying cyber risk, consider who beyond the cybersecurity program needs this data - the CEO and Board. Other members of the executive team? Being able to quantify and present the organization’s cyber risk posture to a wide array of audiences is no longer an option. Within the cybersecurity organization, highly granular data is necessary to ensure that the organization has reduced and is prepared to mitigate any potential threats. However, as one moves up and out of the technical side, CISOs must be capable of presenting that data in financial terms. No longer does the conversation around security stop with “Are we secure?”
As business leaders begin to integrate cyber risk data into their greater strategy, CISOs must be prepared to improve and iterate on their approach to quantifying risk incrementally. Beginning with a simple three-by-three matrix and working up to more complex frameworks and approaches such as NIST 800-30 or Factor Analysis of Information Risk (FAIR), CISOs must continuously weigh the cost and benefit of improving their risk assessment and management approach.
Ensuring that as you and your program mature, other stakeholders within the enterprise can keep pace with the metrics that are delivered is critical. While committing to increasing cybersecurity and risk awareness in company culture is always a good idea, starting with a more complex risk framework can prove too time-consuming for the value that that project would deliver.
However, taking proactive steps to quantify cyber risk, regardless of the approach, is better than nothing. Organizations focused on compliance over risk end up designing their cyber program based on suggestions or requirements that don’t always align with their organization, and this is where cybersecurity programs start to see friction between risk and compliance security teams.
Purpose-built, risk-focused thinking inherently reduces friction in that it builds an information security program around the business objectives rather than a set of controls mandated by a governing body unfamiliar with your specific organization. Furthermore, solutions that align compliance assessments with cyber risk assessments ensure your organization stays in lockstep. It all begins with having an understanding of to what degree your organization needs to quantify cyber (and potentially third-party) risk right now.
Taking those first steps to quantify the risk associated with an existing control set is a great place to start. This process doesn’t happen overnight, and the best cyber risk quantification solution starts where your organization is in terms of controls and frameworks and integrating a risk quantification model into that process.
According to Gartner, deciding to invest in increasing the rigor of your cyber risk quantification approach comes down to four factors:
At the end of the day, maturing your cyber risk management program comes down to the ability to collect risk data and subsequent risk analysis to support future decision-making. Both O’Reilly and Yahalom agreed that where risk quantification stands today, CISOs need to prioritize seeking out risk assessment frameworks that are best understood by their organizations - “maybe it’s a three-by-three matrix, or I’ve seen folks come to us wanting to explore FAIR. It’s all about finding the lingua franca that will be best understood by those in your organization.” said O’Reilly.
Given that cyber risk quantification models are still in their infancy, CISOs need to focus on taking meaningful measurements that help senior leadership make the most informed decisions. Starting is the most important step, whether NIST 800-30, FAIR, or a simple three-by-three matrix. When selecting a framework to build a risk management program around, though, it is most essential to be able to justify and explain the process behind the framework. The best answer, for now, is one that allows your organization to begin analyzing information risk in the most transparent way possible and delivering those risk scenarios to senior-level stakeholders.
CyberStrong is an all-in-one cyber risk management platform that delivers time and cost savings to security and risk teams. If you’re looking to invest in cyber risk quantification software, select one with flexible and various approaches like CyberStrong, which offers NIST 800-30, FAIR, and CyberInsight. Contact us to learn how you can determine your organization’s risk exposure, calculate potential financial impact, and receive real-time updates on security controls with Continuous Control Automation (CCA).