Business decisions hinge on well-calculated risk and high-quality, timely data. Leaders must continually interpret this data, anticipate future needs and solutions, and calculate the associated costs. Ensuring the business has the right skills and resources to provide relevant services and make a profit is a complex balancing act.
However, cyber risk presents a unique challenge: being able to communicate cyber risk in business terms and relate its role to the business in making money. The role of the Chief Information Security Officer (CISO) bears immense responsibility, often leading to feelings of pressure and isolation due to the potential damage of cyber threats. But only by minimizing cyber risk and building cyber resilience can any organization thrive in today’s unpredictable and often inhospitable digital environment.
In contrast, most employees who work in other parts of the organization are usually oblivious to the implications of a cyber incident. In the worst-case scenario, a severe cyber-attack could cripple an organization. So, although cyber risk is often oversimplified, it’s a critical concern for organizations in all industries.
Lack of objectivity in cybersecurity risk analysis
Since the inception of cybersecurity risk, security teams have struggled to accurately quantify cyber risk and clearly communicate it to the business and to the board. As many people who have tried to achieve this know, it frequently created a huge gap in understanding. Security teams have often relied on subjective data to make their case, leading to inaccuracies and lack of hard evidence. Despite well-researched studies, these approaches can be subjective and biased, potentially skewing data to fit a narrative rather than adopting a scientific approach. This can result in ill-informed decisions and suboptimal actions that later manifest into serious consequences.
When one astute board member starts asking smart questions, the pack of cards can quickly collapse. They might ask how risks are rated and how separate or connected they are. Is the rating system linear? What does each risk depend on? If you add a few new risks, does the system stay upright?
Let’s be honest, much of this risk assessment has been based on guesstimates. I’ve been working in the security sector for more than 25 years and I still haven’t worked with an organization of any size, shape or sophistication that has implemented a robust, peer-tested cyber risk program. It’s time for business leaders and boards to demand cyber risk to be conducted thoroughly.
Embedding CRQ into business strategy
Cyber Risk Quantification (CRQ) is a standardized approach for objectively assessing cyber risk exposure and potential outcomes of a cybersecurity incident in business-related terms. Various CRQ models exist, but most consider common elements such as key assets, likely scenarios, threat environment, potential business loss, mitigation time and cost, potential regulatory fines and penalties, and impact on business reputation.
Today, just a few regulated industries make CRQ mandatory. However, I’m confident this movement will grow even more as more organizations and sectors will do this in the months and years to come. Deloitte’s research has found that too many companies have no CRQ program in place. And those that do struggle to use it to drive business action. CRQ is a “nascent” market, according to Forrester, but it’s one that “will fundamentally revolutionize the way that security leaders engage with boards and executives to discuss cybersecurity.”
I agree 100%. I’m of the strong opinion that organizations should adopt CRQ as a mandatory strategy to protect their assets, employees, customers, and reputation. CRQ is a business enabler and accelerator to unlock business growth. Organizations that master it will gain genuine competitive advantages. This is because CRQ:
1. Aligns cybersecurity with business risks to give people a common language to discuss strategy
2. Bolsters organizational robustness by converting subjective risk models to objective evaluations
3. Guides capital investment decisions, assisting in risk capital allocation and measurement of return on investment (ROI)
4. Quantifies risk for potential moves, promoting better-informed and calculated risk-taking decisions
5. Can lower cyber insurance premiums by accurately defining risk based on evidence
6. Serves as a competitive edge, helping safeguard the organization and seize strategic opportunities
7. Enables fast decision-making by providing real-time analysis, anticipating a future with automated risk reporting and on-demand scenario analysis.
Ready to take the plunge?
I believe that CRQ can offer huge rewards for organizations that implement and run it well. Before getting started, here are the main points to consider:
• CRQ aims to refine risk management through gradual evolutionary changes, not drastic revolutionary ones, to understand the effects of each modification
• Success is tied to stakeholder support and effective implementation
• It’s a technological venture as well as an organizational transformation
• Choosing the right partner is key; an experienced team can offer deep knowledge of risk landscape and mitigation strategies, ensuring effective implementation of CRQ
• Be cautious of oblique solutions – data used in risk prediction should be relevant and high-quality. Ensure your CRQ partner understands your threat landscape, assets, and business objectives, and is clear about the variables in the CRQ analysis.
The escalating cyber threat landscape has long been a wake-up call to every organization to prioritize cyber risk. Gone are the days when it was sufficient to use subjective measures to protect IT systems, data, and reputations. It’s now crucial to elevate CRQ as a strategic priority and connect it (and give it parity) with the way that other organizational risks are reported on. The board and the CISO must work together to minimize risk by quantifying it across the business, and ensure that the organization is resilient and successful, regardless of the cyber threats they face.
