Cyber Risk Quantification is set to Change how Cyber Risk is managed

The translation of cyber risk impact into financial terms enables security professionals to identify the most significant cyber risks based on the threats with the most consequential financial impact on the business

This is an exclusive interview conducted by the Editor Team of CIO News with Rahul Tyagi, Co-Founder at Safe Security

What do you think will be the turning point in cybersecurity risk management in the next five years?

The next five years will see a 15% increase in the cost of cybercrime, as the global cost of cybercrime may reach $10.5 trillion by 2025, as per a Cybersecurity Ventures Report. In this scenario, the answer is straightforward: Cyber Risk Quantification and Management (CRQM) will change how cybersecurity risk management is conducted.

Regulatory bodies, governments, and business and security leaders demand continuous and always-on visibility (and reporting) of risk. We are already witnessing a push towards quantifying cyber risk through global mandates such as the SEC Proposal in the USA, the NIS 2 Directive in the EU, the Financial Conduct Authority (FCA) Operational Resilience Guidelines in the UK, and so on.

Why is cyber risk quantification crucial for successfully mitigating and managing cybersecurity risk?

The World Economic Forum’s Global Risk Report 2023 mentions “widespread cyber insecurity” as a two- and eight-year concern across the world. So, as cyber is becoming one of the most important boardroom concerns, measuring its risk is also gaining momentum.

The significance of knowing whether your company is likely to be breached or suffer from a successful cyberattack or not can quite literally save a business from going under. In the face of a cyberattack, for example, a ransomware attack, the risk of closing the business’ doors is high due to the costs associated with remediating the situation, losing customer trust, and possible downtime associated with resolving the attack.

Traditional approaches to cyber risk quantification (CRQ) have needed more practicality to drive actual decisions. It is often incorrectly believed that cyber risk cannot be quantified, and that could be attributed to the need for more historical data surrounding data breaches, the drivers of costs, and what the business impact could be.

With ample data and research, cyber risk quantification has found practical and scalable applications. Cyber risk quantification can empower security executives such as a CISO, lead meaningful discussions with numbers, display a sound business basis for prioritising and making investments in security, and measure results that will garner board and C-suite support for their security programme to protect the business better. These unparalleled advantages brought CRQ to the forefront in 2022, including the prestigious Ponemon Institute’s Annual Cost of Data Breach Report. In the report, they mention risk quantification as one of the top three prerequisites to reducing the cost of a data breach, bringing the total cost down by 48%!

At a time when the reduction of uncertainty in cybersecurity has tangible (read: financial) consequences for a business, organisations cannot rely on a subjective method. The translation of cyber risk impact into financial terms enables security professionals to identify the most significant cyber risks based on the threats with the most consequential financial impact on the business. Since the CISO’s role is, at its core, to protect the business’s ability to generate revenue, a CRQ platform is the key to making the shift from defence to offense. It can take an organisation from just protecting data to protecting the business’s ability to continue generating revenue.

How can the CISO pave the way for new-age cyber risk management?

The modern CISO’s role is evolving from a technical expert to a business leader. Cybersecurity is now not just an IT issue; it is a board-level concern. To empower the new-age CISO and security leaders to justify their seats in the boardroom, they require solutions capable of translating technical cybersecurity data into the financial risk the business faces due to those risks.

Information is contextual, and in the case of cybersecurity, the risk enablers (CISO, CSO) need to put technical data into a business context to enable better, more robust cybersecurity strategies. For example, rather than explaining why a particular cybersecurity policy helps improve the cyber risk posture, a CISO should explain the reduction in financial impact of implementing the policy to the board.

Cyber risk quantification brings that missing business context to security conversations through the value that matters to drive decision—the ultimate dollar impact. CISOs can drive this shift in three key ways:

  1. They must instead dynamically identify and proactively manage cybersecurity risk instead of awaiting reports from quarterly or annual audit reports.
  2. CISOs should communicate the business impact of managed, accepted, and transferred cyber risk to the board.
  3. They should continuously measure their company’s cybersecurity risk posture and compare it to industry benchmarks.

When it comes to transforming cybersecurity through risk management, where should organisations start?

The cyber risk landscape has always been dynamic and difficult to predict; however, the rate at which businesses react to threats needs to be faster. Yesterday’s solutions cannot tackle today’s problems. The first step is to measure the company’s current level of security compared to industry standards. The question is, how do they do it?

Every organisation already generates and manages data using specific cybersecurity products, services, tools, and policies already in place in their environment. But enterprise risk is a factor of threats, vulnerabilities, and business consequences. Businesses are already collecting data to analyse risk; now they need to start quantifying it. They need a solution that brings together all the available cyber risk analyses into a single, unified, and dynamic platform. This platform should digest internal signals, layer them over external threats, and parse the information through sound data science-derived principles to provide real-time risk visibility.

About safe security:

Our Cyber Risk Quantification and Management platform, SAFE, provides security leaders with a real-time risk score, the potential financial impact of cyber events, and a list of prioritised recommendations. SAFE aggregates signals across 360 degrees of the enterprise attack surface—people, processes, technology, and third parties. Using data-science-backed algorithms co-developed with MIT, SAFE empowers security leaders to make data-driven decisions, justify cybersecurity ROI, and discuss cyber risk precisely with the board and management. Safe Security is positively impacting the cybersecurity industry by helping organizations, including CISOs, answer the following business needs, which go unmet by other solutions:

  • Understanding cyber health by looking at the likelihood of a business being breached
  • Benchmarking cybersecurity risk posture against industry peers
  • Converting cyber risk jargon into a language the board and CEO/CFO understand and appreciate
  • Answers: What is the cost to the business if the cyber risk is mitigated, transferred, or left as-is?
  • Getting the ROI to justify investments: If $1 is invested in improving cyber posture, does the financial risk decrease accordingly?
  • Getting prioritised and actionable insights at an asset level for security teams and at a macro level for the enterprise

If there was one piece of advice you wanted readers to take away from this Q&A, what would it be?

The single biggest problem with cyber risk management today is not measuring a business’ risk posture in real time. Attackers never rest, and neither should cyber risk management. The time to move towards risk quantification is now!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.