Cargo ship at sea during a storm showing cyber risk in enterprise risk management

Bringing Cyber Security Into the Fold of Enterprise Risk Management

Too many CEOs and business leaders are left in the dark as to the true financial risks they face from cyber events. For far too long, they’ve been told that cyber risk cannot be quantified in the same manner as operational risk or credit risk. They’ve been told that cyber is too technical to distill down into a business-oriented view – that it is about vulnerabilities, exploits, patch cycles – technical stuff that you wouldn’t understand. But with cyber risk representing a top three business concern, these days are coming to an end. Cyber risk is ready to join the realm of Enterprise Risk Management, and it must in order to prevent the surprise shock of massive financial impact from cyber events.

It isn’t that security leadership has been dodging the question, they just haven’t had the tools, techniques and guidance needed to drive a risk-oriented view into cyber security. The good news is this – technology has evolved not only to battle the bad guys, but to help financially quantify risks, set risk appetite, and guide investment and risk mitigation decisions to help best protect the organization. We’ve entered the golden age of Cyber Risk Quantification (CRQ). CRQ technology enables businesses to put a dollar sign on cyber events, allowing for proactive cyber defense and data-driven decision making across the board. We’re entering the age where CRQ will become ubiquitous but there are pitfalls to avoid.

Challenges faced by early cyber risk quantification adopters

The science behind CRQ, and the art of putting it into place, is only a few years old – but early adopters have faced significant hurdles that you’d be wise to avoid. Early pioneers approached the issue by hiring consultants who built bespoke risk models, charged large sums to maintain them, and produced outputs for the organization periodically. The challenges faced in this approach come down to time, money and actionability. With the constantly evolving landscape of cyber risk, the idea of spending months to build a model based on subjective inputs from human beings (as opposed to near real-time data from security infrastructure), taking months to produce outputs related to risk assessments (making them as stale as month-old bread), and doing so at enormous cost is nearly as useless as not quantifying cyber risk in the first place.

Another approach has been to use the Factor Analysis of Information Risk (FAIR) model – which is quickly replacing the bespoke approach and becoming a global standard. FAIR does provide a novel approach to deconstructing risk, and given its wide adoption, overcomes issues related to questioning methodology, taxonomy and outputs. But the proponents behind FAIR still steer organizations to an untenable proposition – lengthy and widescale training programs, human interrogation for data collection versus data ingestion from security infrastructure, costly professional services engagements and lackluster software solutions.

As a result, while many businesses use risk quantification based on FAIR, the outcomes are too often not actionable, automated nor data driven. As we have seen demonstrated repeatedly during 2020, businesses need the ability to adapt technology quickly to keep up with times of uncertainty. This is why data-driven and automated cyber risk quantification technology is paramount.

The future of cyber risk quantification

Automated cyber risk quantification technology takes the guesswork out of cyber-related business decisions. With its ability to attach a dollar sign to incoming threats, stakeholders across the organization can clearly see which incoming threats are the most dangerous, estimate the net financial loss if the threat goes unresolved, ascertain whether the organization has proper structures in place, and determine whether future technology investments are necessary for the health and safety of the business. This automated process takes the guesswork, and years of human error, out of the process and allows for seamless and data-driven business decisions.

Threat actors will not wait three to six months for your business to go through a manual risk quantification process. With automated cyber risk quantification technology, actionable results are available to businesses in hours rather than months—allowing business leaders to make game-time decisions prior to an attack.

Looking forward, the management of cyber risk must be data driven, automated and actionable. The technology to accomplish a new level of cyber risk quantification now exists. Enterprises can no longer afford to delay its deployment.