Many vendors and organizations alike see opportunity and necessity in the nebulous realm of cyber risk quantification. As we’ve seen before, risk quantification and risk modeling is nothing new to the world - dating back to sailing ship voyagers, as CyberSaint Chief Product Officer Padraic O’Reilly pointed out, and catalyzed by insurance organizations. Yet quantifying risk in the digital world has proven a unique challenge, for many reasons - the first of which, as Padraic points out “there simply isn’t enough data to quantify and understand cyber risk as we would other forms.”
Now, that is not to say that the effort of measuring cyber risk is not worth it. In fact, it is more critical than ever; we live in a world more driven by and saturated with data than ever. With organizations seeing valuations and revenues slashed in the face of data breaches and when other cyber events occur, improving cyber resilience is paramount. We are seeing more and more that executive leadership and Boards of Directors are requiring more insight into cybersecurity posture and CISOs must present cyber risk in financial terms to inform decision making.
Padraic and CyberSaint advisor, Raphael Yahalom, note that the type of cyber risk data is key. For cyber risk quantification, it is a matter of the threats and eventual breaches, and what constitutes an event - is a data breach an event? To what extent versus a phishing attack? Determining where each form of cyber attack or event fits on the nefarious spectrum of actions against an organization, as well as mapping these events and controls put in place to mitigate those events to business objectives are the questions that actuaries and CISO’s alike are challenged with when distilling cyber operations into risk models.
The highest level function for cyber risk quantification is further bridging the gap between business and technical leaders. Boards of directors and executives are trained to quantify risk in their sleep, and yet these new digital risks facing them are a completely different embodiment.
How to Measure Cyber Risk For Your Organization
The top priority for any information security leader when considering how they should approach quantifying cyber risk is ensuring that the data they collect has the utility to executive management to inform the higher-level strategy for the organization.
Currently, 60% of business leaders say that the information delivered from CISOs is not actionable, and 66% of Boards do not understand the cybersecurity data that is provided to them by information security leaders (Gartner). In response to this, when deciding on how your organization is going to begin quantifying cyber risk, consider who beyond the cybersecurity program is needs this data - the CEO and Board? Other members of the executive team? Being able to quantify and present the organization’s cyber risk posture to a wide array of audiences is no longer an option. Within the cybersecurity organization, highly granular data is necessary to ensure that the organization has reduced and is prepared to mitigate any potential threats. However, as one moves up and out of the technical side, CISOs must be capable of presenting that data in financial terms. No longer does the conversation around security stop with “are we secure?”
As business leaders begin to integrate cyber risk data into their greater strategy, CISOs must be prepared to incrementally improve and iterate on their approach to quantifying risk. Beginning with a simple three-by-three matrix and working up to more complex frameworks and approaches such as NIST 800-30 or FAIR, CISOs must be continuously weighing the cost and benefit of improving their risk assessment and management approach.
Ensuring that as you and your program mature, other stakeholders within the enterprise are able to keep pace with the metrics that are delivered is critical. While committing to increasing cybersecurity and risk awareness in company culture is always a good idea, starting with a more complex risk framework can prove too time-consuming for the value that that project would deliver.
However, taking proactive steps to quantify cyber risk, regardless of the approach, is better than nothing. Organizations focused on compliance over risk end up designing their cyber program based on suggestions or requirements that don’t always align with their organization and this is where cybersecurity programs start to see friction between risk and compliance teams.
Purpose-built, risk-focused, thinking inherently reduces friction in that it builds an information security program around the business objectives rather than a set of controls mandated by a governing body unfamiliar with your specific organization. Furthermore, using solutions that align compliance assessments with cyber risk assessments ensures that your organization stays in lock-step. It all begins with having an understanding of to what degree does your organization need to quantify cyber (and potentially third-party) risk right now.
Taking those first steps to quantify the risk associated with an existing control set is a great place to start. This process doesn’t happen overnight and the best cyber risk quantification software starts where your organization is in terms of controls and frameworks and integrating a risk quantification model into that process.
Choosing the Path Forward
According to Gartner, deciding to invest in increasing the rigor of your cyber risk quantification approach comes down to four factors:
- Is there a precedent for the risk event in question?
- Is information about the risk available within your company or industry?
- Is the necessary process infrastructure in place (i.e. do you have the financial loss data by event type)?
- Do you have access to the subject matter experts necessary to provide greater precision to the risk assessment?
At the end of the day, maturing your cyber risk management program comes down to the ability to collect risk data and subsequent risk analysis to support future decision making. Both O’Reilly and Yahalom agreed that where risk quantification stands today, CISO’s need to prioritize seeking out risk assessment frameworks that are best understood by their organizations - “maybe it’s a three-by-three matrix, or I’ve seen folks come to us wanting to explore FAIR. It’s all about finding the lingua franca that will be best understood by those in your organization.” said O’Reilly.
Given that cyber risk quantification models are still in their infancy, CISO’s need to focus on taking meaningful measurements that help senior leadership make the most informed decisions. Whether NIST 800-30, FAIR, or a simply three-by-three matrix, starting is the most important step. When selecting a framework to build a risk management program around, though, it is most important to be able to justify and explain the process behind the framework. The best answer, for now, is one that allows your organization to begin analyzing information risk in the most transparent way possible and delivering those risk scenarios to senior-level stakeholders.