Jerry Caponera, the General Manager of Risk Products at ThreatConnect, was joined by Yousef Ghazi-Tabatabai, Director, Risk at PwC to discuss the impediments to measuring cyber risk in an organization.
The field of cybersecurity has been witnessing a significant paradigm shift, with organizations beginning to see the value of cyber risk qualification. Despite the increasing cognizance, the transition from conventional heat maps to systematic risk quantification has been filled with impediments. In this interview, Yousef analyzes the root causes for these hurdles, ranging from a lack of familiarity with the methodology to data-related concerns.
Yousef highlighted the obstacles in measuring cyber risk can be twofold – some are of a more negative nature, like unfamiliarity leading to avoidance, while the more practical ones revolve around methodology and data. According to him, the components of the financial modeling methodology ingrained in risk quantification can sometimes be daunting, especially for security teams who might lack the financial analytical skill set. There is also the data entry worry. Many organizations are fixated on the notion that accurate results necessitate high volumes of data, thus refraining from the process due to the perceived ‘lack of data’.
However, as Yousef pointed out, these reservations may be largely based on misconceptions. He emphasized that a vast amount of data is not a prerequisite; results meaningful for decision-making can be produced with minimal data. The reinforced assertion that the level of detail increases as data volumes increase could potentially dispel worries.
When asked to share his insights about the future of risk quantification, Yousef argued that the world of security is undergoing a ‘maturity journey’. The recent increase in devastating ransom attacks has brought security to the chief attention of the C-suite and the board, necessitating more demystified and quantified risk communications. Insurance and budgetary constraints further underscore the financial urgency, pushing organizations toward the adoption of risk quantification.
Yousef concluded the conversation by emphasizing the importance of risk quantification as a tool for effectively communicating upwards with the C-suite and board. He also maintained that, despite the initial hurdles, organizations would find the process easier than anticipated once they dipped their toes in. He encouraged organizations to start small, assuring that the process would eventually seem less daunting and more essential than ever before.