As the world begins to get the global coronavirus pandemic under control, cybersecurity concerns are increasing. Attackers continue to build increasingly sophisticated capabilities, deploying them in a precisely targeted and persistent manner and aiming for enterprises’ most valuable and sensitive data. In many cases, these anxieties are underpinned by a climate of general uncertainty. As digital transformation efforts grow in scope and accelerate in speed, it’s becoming more and more difficult for security organizations to keep up with an ever-expanding attack surface.
The natural antidote to uncertainty-based fear is clear communication, but historically it has been difficult for chief information security officers (CISOs) to translate cybersecurity threats – which are often described in technical terms – into business risk – which is best communicated quantitatively and expressed in financial terms. As Jack Freund, Head of Cyber Risk Methodology at VisibleRisk explained in a recent white paper, “Successfully presenting cybersecurity concerns to the board requires the ability to weave a narrative around what is occurring in the broader cybersecurity industry, how attackers are affecting industry peers, and using metrics, financial impact, and enterprise maturity to show how cybersecurity events will affect the enterprise.”
To learn more about risk quantification, download our Risk-Threat-Response Whitepaper
Now how do we do this?
Cyber Risk Quantification (CRQ) is the process of identifying the risks that matter most to the organization by quantifying them based on potential financial and operational impact, unifying security and the business to a common goal.
To date, businesses have relied on qualitative assessments of cyber risk which are imprecise and inadequate for exposing the potential harm from cyber events. With this heavily subjective approach — often reliant on the ‘gut feelings’ of experts inside the organization — we’ve tricked ourselves into believing that we understand the risks we face and that we are actually performing risk management in cybersecurity. In reality, we’re focused only on one element of the broader risk equation, and we’re missing the bigger picture and need to assess the potential financial impact of cyber events, inform the business as to that impact and manage cybersecurity with the goal of mitigating potential harm to the business.
To fulfill our mission of protecting the organization from harm, we have to actually understand what that potential harm might be. But we cannot reach that level of understanding without a quantitative view of cyber risk. Cybersecurity needs a business-based decision support system that operates in real-time. It needs automated cyber risk quantification.
Cyber risk quantification aligns cybersecurity with business objectives and creates a unified front against risks and threat actors. Quantifying cyber risk also allows for the board of directors to understand prioritization, resource allocation, and the adequate amount of security investments needed to protect the business. Communicating risk scenarios in ways that can be quantified versus qualified, makes all the difference.