Many vendors and organizations alike see opportunity in the nebulous realm of risk quantification. As we’ve seen before, risk quantification is nothing new to the world - dating back to sailing ship voyagers, as CyberSaint Chief Product Officer Padraic O’Reilly pointed out, and catalyzed by insurance organizations. Yet quantifying risk in the digital world has proven a unique challenge, for many reasons. As Padraic points out “there simply isn’t enough data.”
While we live in a world more driven by and saturated with data than ever, Padraic and CyberSaint advisor, Raphael Yahalom, note that the type of data is key. For risk quantification, it is a matter of the threats and eventual breaches and what constitutes an event - is a data breach an event? To what extent versus a phishing attack? Determining where each form of cyber attack or event fits on the nefarious spectrum of actions against an organization, as well as mapping these events and controls to business objectives are the questions that actuaries and CISO’s alike are challenged with when distilling cyber operations into risk models.
The highest level function for risk quantification is further bridging the gap between business and technical leaders. Boards of directors and executives are programmed to quantify risk in their sleep, and yet these new digital risks facing them are a completely different embodiment.
A finger in the air is better than a shrug
As O’Reilly points out when it comes to risk - “a finger in the air is better than a shrug.” While we may still be in the infancy of cyber risk quantification, taking proactive steps to attempt to quantify that risk, even if it’s more subjective than not, is better than nothing. Organizations focused on compliance over risk will end up molding their cyber program based on suggestions that don’t align with their business organization and this is where these teams end up causing friction.
Risk-focused thinking inherently reduces friction in that it builds an information security program around the business objectives rather than a set of controls mandated by a governing body unfamiliar with your specific organization. Taking those first steps to quantify the risk associated with your control set is a great place to start. This process doesn’t happen overnight and a more seamless solution starts where your organization is in terms of controls and frameworks and integrating a risk quantification method (be it NIST 800-30 or something like the FAIR model) into that process.
Cyber becomes ubiquitous
One of the great driving forces for both vendors and CISO’s alike to establish best practices for cyber risk quantification is the fact that the lines between digital and physical risk are becoming blurred. As Yahalom stated - “it’s not just that the lines are becoming blurred, cyber is integrating with existing risk models.” In this case, cyber risk is not just a matter for CISO’s, it is paramount for business leaders to have the means to quantify these new forms of risk as moving forward they will have a massive impact on all other risks.
There is no one answer (for now)
Both O’Reilly and Yahalom agreed that where risk quantification stands today, CISO’s need to prioritize seeking out frameworks that are best understood by their organizations - “maybe it’s a three-by-three matrix, or I’ve seen folks come to us wanting to explore FAIR. It’s all about finding the lingua franca that will be best understood by those in your organization.” said O’Reilly.
Given that cyber risk quantification is still in its infancy, CISO’s need to focus on firstly starting to quantify risk with the tools available today. Whether NIST 800-30, FAIR, or a simply three-by-three matrix, starting is the most important step. When selecting a framework to start with, though, it is most important to be able to justify and explain the process behind the framework. The best answer, for now, is one that allows your organization to begin documenting risk in the most transparent way possible and continue delivering value to senior level stakeholders.