If you’ve attended any of our webinars on Cyber Risk Quantification (CRQ) in recent months, you’ll know that this is a topic I love talking about! You’re either thinking this is not true, or I’m paid to say that right…? I know. Well, the truth is, I like problem-solving and in the cyber world – there are many pressing issues. CRQ can help address some of them.
I’ll be candid, people don’t come to us and say, “Please help us quantify our cyber risks” – although, that would be a great position to be in. Usually, they express a concern or a challenge such as “I’m reading about ransomware attacks, and the overall loss is growing. How can I figure out our exposure?”. Or they see that their budget for cybersecurity keeps shrinking and they want to know where they should focus resources and help communicate that with business leaders. That’s where CRQ allows us to dig deeper to find the answers.
It’s interesting to see where organizations are in terms of CRQ adoption. ThreatConnect recently ran a poll that found that most organizations are using qualitative risk assessment methods or were at the early stages of CRQ adoption. I think, if we run this poll in 12 months, we’ll definitely start seeing more people not only adopting quantitative methods but also optimizing and automating their strategies.
We’ve been tracking cyber risk quantification for years. It’s great to see more and more organizations really backing this new way of measuring cyber risk. Here are some of the key drivers accelerating the need for CRQ:
Business Leaders Interest:
CRQ can significantly improve the conversation – taking it from a once technical dialogue to a more strategic one. ThreatConnect’s VP of Cyber Risk Strategy, Jerry Caponera said “Security cannot be ‘Doctor No’; security has to be yes with an ‘if’, or yes with a ‘but’”. I think this is a great way of putting it because security teams are not roadblocks. They provide recommendations backed by data for business leaders to make better decisions.
The Threat Landscape:
The cyber environment is unpredictable. It changes often and quickly, so businesses need to be able to adapt. A large proportion of breaches are preventable with strong controls and policies for prevention. These controls may come from security frameworks such as NIST CSF, ISO 27001, or CIS Top 20. With CRQ in place, businesses can ensure that they understand their key risks and address those first.
Research and Analysts
We recently saw cyber risk quantification right at the top of Gartner’s hype cycle! Research firms and analyst firms are now recognizing the benefits of CRQ and recommending this approach to drive decision-making. A former researcher at Gartner, John Wheeler describes CRQ as a critical component of Integrated Risk Management.
Cyber Insurance Premiums
One of the major drivers is from the insurance side – premiums are going up exponentially. Insurance carriers are starting to restrict the coverage that they offer because the financial impacts are changing. Now that it’s harder to transfer risk, businesses are having to decide what they are willing to accept or reduce – CRQ provides great insight here.
Over the next three blogs, I will be sharing what we’ve been hearing from CISOs, CIOs, CFOs in the market as well as from partners and analysts. Our goal here is to share practical advice to help you operationalize your cyber risk quantification and accelerate Time to Value (TTV).
For more information on this topic, watch our on-demand webinar with Cyberminds Consulting and follow us on LinkedIn and Twitter.