The importance of quantifying cyber risk


This year the conversation about cyber risk and cyber risk quantification must change.
Even the best vulnerability management program is not really addressing cyber risk. According to a study published last May by the Ponemon Institute titled, “Costs and Consequences of Gaps in Vulnerability Response,” more than 13% of all Common Vulnerabilities and Exposures (CVEs) have a severity score between 9.0 and 10.0 (the highest possible value). Of those 13%, 7,628 (or about 47%) are scored at 10.0. The question becomes how can a security team tell one 10.0 from another? And how do businesses know they are focusing on the right ones?

The answer is simple – without understanding that risk isn’t a technical issue, it is a business one, you can’t. Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of lost revenue, response costs, and secondary loss. Until now, the result has been a lack of focus on the risks that matter most to the business and an inability to communicate an accurate risk posture to the C-Suite and board of directors.

However, cybersecurity leaders have continued to struggle to communicate threats to leadership in other parts of the business. At one point, one of the Chief Information Security Officer’s (CISO) value propositions was storytelling and being able to communicate the desperation of the company’s cybersecurity situation to leadership based on relationship skills and intuition. What they ultimately were doing was giving a qualitative assessment of risk based on their experience and a gut feeling.

However, this subjective means of proving value is no longer an option. Just as employee counts and retention numbers are the most meaningful metrics for HR departments, security teams need something to communicate the value they are providing. Risk quantification technology, a measurement of what cyber risks matter most to a business in terms of financial and operational impact, is the much-needed next step for CISOs to command a conversation around resource prioritization, right sizing of budgets, and risk transference through insurance, among other things.

For example, at one of the world’s largest consumer packaged goods (CPG) companies, the central problem was that the organization’s business side was unknowingly accepting a high level of cyber risk as they were deploying digital services and applications during the COVID-19 pandemic. They were operating without a frame of reference for the financial risk their digital initiatives created, nor did they understand what the impact would be if a cyber attack was successful.

The security team needed a way to quantify what cyber risk meant in a business sense. All the typical indicators they used, such as indicators of compromise (IOCs) and CVSS scores, did not mean much to line of business (LOB) owners. They needed to communicate security protections with context and relevance, so application owners understood what cyber risk meant to their business.

By leveraging automated cyber risk quantification (CRQ) technology, the CISO’s office could, for the first time, demonstrate how the lack or increase of security controls affected financial risk and impacted each LOB. Business owners who wanted waivers for security controls for their applications could now be accountable for and see the risk their decisions brought to the organization.

CISOs have a choice to make in 2021: Continue to sink under the weight of daily alerts and fail to adequately protect an expanding attack surface or take the steps now to pinpoint the most important risks from a business and financial perspective and, for the first time, be able to effectively communicate cybersecurity policy and funding requirements to the business leadership.

Risk occurs when companies have something valuable to lose, a threat that is capable of doing damage, and a lack of capability to respond to that threat. CRQ technology marries the three most critical aspects of cybersecurity—risk, threat, and response—by assessing how menacing a cyber threat is to a company, the financial and operational impact of a successful attack, and the company’s capability of defending itself against the threat.

Addressing these critical pillars provides organizations with an inside out view into the risk facing the company, and a way to communicate it to leadership in business terms. Most security professionals would say that we are losing ground to hackers, and we need to change how security is done. Cyber risk quantification revolutionizes the way organizations protect themselves by turning intelligence into action.