The demand for Cyber Risk Quantification (CRQ) within an organization is becoming increasingly prevalent. A survey conducted by the SANS Institute found that over 75% of security professionals employ CRQ or plan to in the next 18 months.
However, a study by Gartner suggests that by 2025, 50% of cybersecurity leaders will have tried and failed to use CRQ to drive enterprise decision-making.
In this article, we’ll examine the central characteristics of CRQ, why organizations are pushing to use it, its main benefits, and what businesses can do to ensure CRQ is implemented effectively.
What is Cyber Risk Quantification?
CRQ calculates the potential financial loss and impact of a cyberattack or data breach on an organization. It involves assessing the likelihood and severity of a cyber event, identifying the assets and data that could be affected, estimating the costs of recovery and remediation, and determining the potential financial and reputational damage.
By describing cyber risk in financial and business-relevant terms, organizations can prioritize risks and mitigation strategies according to their potential for financial loss. This enables companies to create budgets based on mitigation strategies that afford the best protection and return on investment.
CRQ is designed to give security and compliance professionals a greater understanding of cyber risk management.
Why are organizations pushing for more CRQ data?
According to the IBM-Ponemon 2022 Cost of a Data Breach report, CRQ can reduce the cost of a breach by nearly 50%. It’s for reasons such as this that security leaders are under mounting pressure to produce CRQ data, but what benefits does it offer?
Bridges the gap between technical and business stakeholders – CRQ explains risk in monetary terms. Data becomes more relatable for top-level executives and can help inform their decision-making process. Instead of quantifying the risk of a data breach as high, medium or low, telling board members it could lose the company millions of dollars is far more impactful and is more likely to secure their buy-in.
Demonstrates cybersecurity is a business enabler and provides strategic value – Cybersecurity discussions often focus more on tactical benefits rather than how it can add value and be a business enabler. CRQ can help demonstrate to senior leaders that investing in cybersecurity will deliver financial value by protecting the firm’s bottom line and delivering positive business outcomes.
Prioritize risks and controls to create effective risk mitigation strategies – CRQ enables security teams to make decisions in the context of business imperatives and helps create mitigation strategies that afford the organization the best protection and return on investment. For example, CRQ can help companies decide which third parties or software to use, as it will inform them which vendor or software is more likely to yield a better ROI.
CRQ enables calculated risk-taking – As businesses evolve and grow, decisions will need to be taken that inevitably have some risk associated with them. CRQ enables companies to quantify risk so that organizations can make more informed decisions.
Regulatory Compliance – Regulators such as the Securities and Exchange Commission (SEC) are actively ensuring cybersecurity solutions are deployed correctly to protect revenue, reputation, and shareholder value. CRQ is emerging as the everyday language for security and business leaders to use when translating cyber risk exposure metrics into the financial cost of downside risk exposure.
Comprehensive and cheaper insurance cover – As cyberattacks increase, so do insurance premiums; for example, US prices increased by 79% in Q2 2022 compared with 2021. Insurance companies are compensating for fewer losses, making it harder for organizations to become insured. CRQ can help companies accurately define their risk and losses, which will help lower insurance premiums and gain more comprehensive cover.
An effective CRQ program solves cybersecurity challenges and unleashes the potential for business growth.
Why do CRQ programs fail to deliver action-based results?
According to Gartner, 62% of security and risk management leaders are achieving awareness-based results, such as increased credibility with senior stakeholders. However, only 36% achieved action-based results, such as saving money or adding value to strategic decision-making. Below are some of the main reasons why CRQ programs fail:
Not understanding which problem CRQ is trying to solve within your organisation – For CRQ to be effective, you must first understand the problem you’re trying to solve, whether that’s better reporting to the Board or increasing engagement. Implementing CRQ without a specific use case will be extremely difficult as there is no goal to aim for.
Lack of reliable data: CRQ relies heavily on accurate data sources. If an organization cannot provide up-to-date data for CRQ, any risk assessment or quantification process will be flawed.
Lack of integration with risk management frameworks: Organizations have unique risk profiles, compliance requirements, and operational considerations. If quantification programs don’t tailor their content and methodologies to fit existing risk management frameworks, businesses may struggle to apply CRQ effectively.
Limited understanding of impact: Identifying business-critical assets and processes provides a clear understanding of the potential impact of cyber risks on an organization. Failure to do this can result in limited knowledge of possible consequences. This lack of understanding could lead to incorrect or insufficient cyber risk assessments, leaving organizations vulnerable to threats.
Poor communication with decision-makers: When reporting to senior leadership, attention is often focused on the numbers of the CRQ analysis instead of the story behind the analysis. If your desired outcome gets lost in the numbers you’re presenting, leadership will not understand what the CRQ analysis is trying to achieve.
Collaboration and communication are central to the success of an organization’s CRQ program.
How do companies implement an effective CRQ program that increases risk awareness and delivers results? Below we outline the features of a successful approach:
Have a strong use case for CRQ: For CRQ to be effective, a company needs to ensure they have a strong use case for why it should be implemented. This will enable a company to build effective processes that solve business problems and ensure the longevity of a CRQ program.
Narrow the focus: Identify the threats that could cause the most damage and map them onto business-critical processes and assets. Avoid trying to address all risks. Prioritize those that matter most to the objectives your organization is trying to achieve.
Integration of frameworks: Integrate CRQ into existing enterprise risk management frameworks. CRQ establishes parity between cybersecurity and other business risks, enabling stakeholders to make data-driven decisions.
Accurate data sources: For CRQ to be effective, organizations need accurate and comprehensive data. This data should include recent security incidents, such as how often DDoS and command and control incidents occur, how sufficient current security controls are, and information from legal and privacy teams on the impact of an incident. You should also understand how your company makes money so that if an outage or incident occurs, its impact on revenue is evident.
Understand the difference between control maturity and efficacy: When using CRQ to assess a specific control, enterprises should understand how much it reduces risk instead of simply looking at its maturity. Focusing too much on a control’s policies and processes instead of measuring the efficacy of decreasing risk won’t help a company determine the actual loss expectancy.
Culture shift from compliance to business-focused decisions: A culture change is needed to ensure decision-makers use CRQ outcomes to make business decisions rather than just compliance-focused decisions. If security leaders only consider compliance angles and implement controls that have little impact in reducing risk instead of making decisions based on business needs, CRQ will have little effect.
Focus on the story of your analysis: Security leaders should ensure that CRQ results are communicated clearly and effectively. The most effective way to do this when conducting your CRQ analysis is to focus on the issue you’re trying to solve with your numbers. If the story you’re trying to tell gets lost in the numbers, the messaging and actions you want to achieve will not be communicated effectively.
Implementing processes in a measured and incremental manner will ensure the effectiveness of a CRQ program.
What does a company need to start using CRQ?
If your organization wants to implement a CRQ program but doesn’t know where to begin, below are some practical steps that you should follow:
- Understand the business problems you are trying to solve with CRQ. This enables the implementation of processes, procedures and reporting, the foundation of a successful CRQ program.
- Ensure you have buy-in from senior executives. If leadership can understand the problem CRQ is trying to solve and its benefits, it will be far easier for a company to deliver action-based results.
- Integrate CRQ into your current enterprise risk management frameworks to establish parity between cyber risks and other organisational risks.
- Identify the use cases for CRQ. Narrow the focus of your CRQ analysis to the threats that could cause the most damage to your organization’s business-critical processes and assets.
- Gather the data needed for CRQ from within your organization. This could be obtained from incident data or legal teams and control the data through red team exercises.
- Keep the story you are trying to tell with your numbers at the forefront of your analysis for effective reporting.
- Use open-source data for assistance. A good starting point is becoming a member of the FAIR Institute or accessing Netflix’s open-source software center to learn more.
As cyberattacks become more sophisticated and the number of threats increases, more organizations are shifting to CRQ to assess risk. However, despite this, many businesses fail to extract action-based results, such as reducing costs and adding value to strategic decision-making.
If CRQ is to be effective and deliver action-based results, companies require mature cyber risk assessment processes. If a company doesn’t understand what they are trying to achieve with CRQ, fails to integrate CRQ with enterprise risk management framework, or lacks reliable data sources and a robust cyberculture, the chances of CRQ impacting security teams and business leaders will be severely reduced.
To find out more about SureCloud’s Cyber Risk Quantification services, visit www.surecloud.com