It’s often easy to put cybersecurity practices in a box that is essentially “out of sight, out of mind” until there is a data breach and the C-suite is scrambling and asking, “why?” or, more importantly, “How?” For modern, forward-thinking companies, it’s no longer enough just to use a risk matrix and hope for the best.
Quantifying risk can be a mystical process, especially when discussing black-box reporting. Many risk quantification techniques available today are, by all intents and purposes, black-box solutions that ingest risk data and return metrics specific to the solution with little to no explanation as to how those metrics came about. When looking at “glass-box” vs. black-box in cybersecurity, we’re talking about the theory of transparent risk quantification vs. shielded risk quantification.
It’s impossible to approach risk quantification with a one-size-fits-all approach. There are too many variables and standards to adhere to to make a broad, sweeping statement that says, “This is the only way you can avoid risk events.” Instead, CISOs should focus on how “glass-box” solutions can increase a security leader’s confidence level to give them faster insights, leading to smarter decisions and meaningful action in a crisis.
Quantifying risk is a relatively new practice. While the need for concrete cyber risk quantification has emerged, the landscape of risk assessment frameworks to quantify risk is still fragmented. The return on security investment (ROSI) is challenging to measure, and the results are challenging to condense into a business-friendly context.
This approach has pushed CISOs to favor a qualitative approach to risk evaluation. As demand for digital transformation grows, CISOs are under more pressure than ever before to effectively communicate risk to a broad audience, including C-suite executives and company employees.
To frame cybersecurity practices in a business context, especially initially, security leaders must tell a story to illustrate how to build a security culture that orbits around business objectives instead of nebulous controls that are mandated by specific sectors of a government or regulatory body.
For example, when looking at software that can supplement current IT GRC systems, solutions that involve artificial intelligence (AI) or natural language processing (NLP) can save companies countless person-hours by utilizing automation to approach risk and compliance. Executive leadership may not be immediately invested in how NLP can assist day-to-day operations. However, by demonstrating how automation increases resilience and underlining what an asset it could be to leverage real-time risk intelligence, you can create a narrative around risk and compliance that portrays an investment that will give the organization returns instead of an undefinable “black-box” method that shows little return and little results.
The CyberStrong platform uses NLP to dynamically map control data across frameworks and standards without requiring an analyst or team to crosswalk manually. This allows highly regulated organizations to achieve continuous compliance with an approach that goes far beyond industry standard mappings.
In fact, according to Gartner, by 2023, 25% of extra-large global enterprises will have adopted process automation for risk control testing and monitoring, which is an increase from fewer than 5% today. Gartner further predicts that by 2025, 30% of compliance management technology capabilities will have machine learning and natural language processing to interpret legislation and suggest relevant regulatory controls, which is an increase from fewer than 10% today.
When addressing resilience, focusing on long-term goals is vital instead of short-term benefits. To ensure your cybersecurity practices endure, it’s necessary to make deliberate efforts into what Gartner calls the five organizational layers—leadership, culture, people, processes, and infrastructure. Resilience in this context should resist, absorb, recover, and adapt to business disruptions.
In short, leadership must be willing to invest in cybersecurity initiatives that are agile and adaptable instead of relying on dated legacy systems that struggle to grow with their companies. Leadership is also instrumental in implementing a culture in the company that prioritizes mitigating threats and vulnerabilities so the people who work in the organization can practice safe data security, etc. Processes and infrastructure are key here as well, as a process that only assesses once a year or once every other year will always be playing catch up on risk quantification and management. Infrastructure is required to achieve custom risk quantification methodologies to track, analyze, and communicate risk profiles to ensure a standardized, unified, and aligned strategy around risk.
To truly thrive in a digital age, organizations must infuse resilience into daily operations, or they risk leaving themselves wide open to threats and possibly losing stakeholder and customer support. Risk quantification isn’t going to disappear, in fact, as more industries convert their existing systems into digital spaces, risk quantification will be necessary to survive in the new normal of the digital age. Even qualitative cyber risk assessments are better than no assessments at all.
Improving security posture through resilience isn’t going to happen overnight. Instead, companies should strive to incorporate more precise risk assessments slowly and make sure their quantitative risk analysis method follows glass box standards instead of black box standards. Security leaders should always be able to have the answers for the method by which they quantify risk. Data should drive decision-making; without the data, the decisions may not hold up in a boardroom.
Making sure your security strategy is flexible is paramount. Rigid systems make frameworks less secure instead of more secure. Security leaders also need to periodically assess how their systems collect and analyze risk to ensure their risk quantification process stays agile and adaptable. By doing this, organizations can employ adequate risk management strategies.
Transparent risk quantification methods enable all stakeholders and executives greater insight and visibility into any cybersecurity program and give CISOs the tools and techniques to be successful. CyberStrong offers three models for cyber risk quantification: NIST 800-30, FAIR, and CyberInsight. By delivering various methods for quantification, organizations of all sizes and maturity can improve their security posture.