Many vendors and organizations alike see opportunity and necessity in the nebulous realm of cyber risk quantification. As we’ve seen before, risk quantification and risk modeling is nothing new to the world - dating back to sailing ship voyagers, as CyberSaint Chief Product Officer Padraic O’Reilly pointed out, and catalyzed by insurance organizations. Yet quantifying risk in the digital world has proven a unique challenge, for many reasons - the first of which, as Padraic points out “there simply isn’t enough data.”
While we live in a world more driven by and saturated with data than ever, Padraic and CyberSaint advisor, Raphael Yahalom, note that the type of data is key. For cyber risk quantification, it is a matter of the threats and eventual breaches and what constitutes an event - is a data breach an event? To what extent versus a phishing attack? Determining where each form of cyber attack or event fits on the nefarious spectrum of actions against an organization, as well as mapping these events and controls to business objectives are the questions that actuaries and CISO’s alike are challenged with when distilling cyber operations into risk models.
The highest level function for cyber risk quantification is further bridging the gap between business and technical leaders. Boards of directors and executives are trained to quantify risk in their sleep, and yet these new digital risks facing them are a completely different embodiment.
A Finger In The Air Is Better Than A Shrug
As O’Reilly points out when it comes to information risk management - “a finger in the air is better than a shrug.” While we may still be in the infancy of cyber risk quantification, taking proactive steps to attempt to quantify that risk, even if it’s more subjective than not, is better than nothing. Organizations focused on compliance over risk will end up designing their cyber program based on suggestions that don’t align with their business organization and this is where these teams end up causing friction.Purpose built, risk-focused, thinking inherently reduces friction in that it builds an information security program around the business objectives rather than a set of controls mandated by a governing body unfamiliar with your specific organization. Taking those first steps to quantify the risk associated with your control set is a great place to start. This process doesn’t happen overnight and the best cyber risk quantification software starts where your organization is in terms of controls and frameworks and integrating a risk quantification model (be it NIST 800-30 or something like the FAIR model) into that process.
Cyber Becomes Ubiquitous
One of the great driving forces for both vendors and CISO’s alike to establish best practices for quantitative risk management is the fact that the lines between digital and physical risk are becoming blurred. Yahalom expounded on this point saying that “it’s not just that the lines are becoming blurred, cyber is integrating with existing risk models.” In this case, cyber risk is not just a matter for CISO’s, it is paramount for business leaders to have the means to quantify these new forms of risk to the business as moving forward they will have a massive impact on all other risks.
There Is No One Answer (For now)
Both O’Reilly and Yahalom agreed that where risk quantification stands today, CISO’s need to prioritize seeking out risk assessment frameworks that are best understood by their organizations - “maybe it’s a three-by-three matrix, or I’ve seen folks come to us wanting to explore FAIR. It’s all about finding the lingua franca that will be best understood by those in your organization.” said O’Reilly.
Given that cyber risk quantification models are still in their infancy, CISO’s need to focus on taking meaningful measurements that help senior leadership make the most informed decisions. Whether NIST 800-30, FAIR, or a simply three-by-three matrix, starting is the most important step. When selecting a framework to build a risk management program around, though, it is most important to be able to justify and explain the process behind the framework. The best answer, for now, is one that allows your organization to begin analyzing information risk in the most transparent way possible and delivering those risk scenarios to senior level stakeholders.