3 Things You Need to Know About Cyber Risk Quantification

In case you missed it, there has been increasing buzz around funding and acquisition announcements of cyber risk quantification solutions recently, and for good reason. For years, cyber security was treated as a technology problem that security professionals and CISOs were expected to handle as long as they didn’t interfere with the business. But as cyber threats and ramifications increase, executives and boards are taking notice, and they want increased visibility into this existential threat in terms they can understand, now. Not only are we seeing increased oversight and regulations from the government, but we are seeing increased activity and sophistication from threat actors leading to costly events, like ransomware attacks. While the continued surge in cyber threat activity is unnerving, it is creating a demand for education and action that is long overdue. This is where cyber risk quantification comes in.

Simply put, Cyber Risk Quantification (CRQ), is the process of analyzing cyber risk in the context of financial terms so you can prioritize risks based on the financial impact they pose. Historically, security professionals conducted cyber risk assessments via traditional security audits and/or risk assessment questionnaires. When used alone, these approaches provide a myopic perspective of an organization’s security compliance because they rely on subjective approaches rather than looking at direct data sources and they do not translate and quantify those results into financial context that CISO’s can discuss with the board. This is driving boards to take matters into their own hands.

Cyber risk quantification arose as a means of bridging the gap between cyber risk assessments and cyber risk management by running the cyber vulnerabilities identified by risk assessments, like audits and questionnaires, through loss models to illustrate the  financial impact they could have on an organization. This much needed translation moves cyber risk management discussions from the data center to the board room, enabling improved transparency and better cyber risk decision making at the executive level. The benefits of this communication come in many forms: resource and budget allocation, informed governance and oversight, clearer understanding of insurance needs, and increased communication and confidence between executives and security leaders. In other words, if you are still attempting to manage cyber risks using just traditional risk assessments tools, you’re missing a big opportunity to secure an ongoing spot on the board agenda and to get your team the support and resources needed to effectively manage risk.

Whether you have a cyber risk quantification plan in place or are just beginning, VisibleRisk’s subject matter experts have a few tips for you.

  1. Ensure your analysis includes validated data pulled directly from the technical sources. You should supplement security control audits and self attested questionnaires with data pulled directly from your technology and security management tools, using an API where possible. This ensures a higher level of accuracy thereby increasing the confidence of your executive teams while significantly speeding up the data collection process.
  2. Don’t go it alone. Current CRQ processes require you to decide what data to analyze and how to collect it. As the cyber risk quantification space continues to evolve, solutions can now replace traditionally manual processes. The VisibleRisk platform, for example, systematizes the data collection and computes all the risk quantification scenarios for you, which reduces the amount of energy, time and money spent on your end.
  3. Be sure to incorporate benchmarking and action in your results. Cyber risk quantification is a process, not the end goal. At the end of the day, you want to achieve a clear understanding of which scenarios and control weaknesses create the most financial risk as well as a clear understanding of how well positioned your organization is to manage that risk. If your CRQ approach stops short of that outcome, and doesn’t provide benchmarking and prioritization insights that enable decision making and action, then you’re not getting a return on your investment.

We believe the CRQ buzz is a harbinger of better cyber security. Because boards know you can’t have financial stability without cybersecurity and the more boards and non technical executives become more engaged in the discussion, the more educated and cyber resilient we will be.

VisibleRisk is a joint venture between Moody’s and Team8.