Axio’s CRQ Included in Gartner’s 2024 Hype Cycle for Cyber-Risk Management
Historically, Gartner’s Hype Cycle for Cyber Risk 2024 focused more on benchmarking and probability, but it has now increased its emphasis on business impact focused qualification. At Axio, we’ve long held the belief that if you’re doing cyber risk quantification (CRQ) based on the probability of an event happening alone, you’re missing the boat on actually achieving cyber resilience. You need to be able to evaluate risks based on quantifying the impact on your business if an incident were to occur. We’re excited to share that the latest Gartner Hype Cycle for Cyber-Risk Management includes Axio this year and increases its focus on evaluating the impact of an event, which benefits any organization looking to understand and implement solutions that enable them to understand the costs and benefits of their cyber decisions.
Previous CRQ Focus
Traditional CRQ methods frequently emphasized qualitative assessments and expert judgment through benchmarking and probability assessments. The goal of benchmarking can help an organization identify gaps where it is lagging behind industry standards and set goals for improvement, which can help to justify cybersecurity investments. Probability assessments are usually expressed as a numerical value or probability range, and use historical data, threat intelligence, expert judgment, and statistical modeling to help an organization understand its risk profile. While these methods can help organizations better understand their risk profile, this approach provides security and leadership teams with no understanding of the business impact of an event and therefore no ability to address the real-world consequences of cyber incidents.
Assessing Business Impact Enables Greater Alignment
Gartner’s 2024 Hype Cycle increases its emphasis on business impact in CRQ, stating that: “By 2026, 60% of cybersecurity functions will implement business-impact-focused risk assessment methods, aligning cybersecurity strategies with organizational objectives.” This alignment between cybersecurity and organizational strategy is long overdue, particularly given the evolving threat landscape, the many cybersecurity solutions available, and business models that are heavily reliant on technology.
When discussing CRQ with business leaders, it’s important to link risks to business outcomes and highlight the potential impact of an adverse event. The SEC’s recent requirement for publicly traded companies to quickly disclose the material aspects of an incident’s nature, scope, and timing as well as impact highlights just how closely cybersecurity is tied to business outcomes.
To effectively quantify cyber risk, you must start by analyzing business assets using objective data from existing business impact analysis and monitoring capabilities, instead of subjective probability estimates based on historical incidents or rare events. Organizations need to spend more time understanding how the failure or loss of key technological dependencies can impede their business, and what can be done to minimize such impacts if they do occur. To do this, start on the business side of the equation: identify the core products and services that form the lifeblood of your business and rank order such products and services by revenue contribution in order to get an accurate understanding of importance to the business.
How the CrowdStrike Outage Ties to CRQ
A CrowdStrike Falcon content update on July 19, 2024, caused a massive, worldwide IT outage that crashed millions of Microsoft Windows systems, disrupting critical services and business operations. Falcon monitors operations in real time in the Windows operating system and is integrated tightly with the Microsoft Windows kernel, which is why the logic flaw resulted in a system crash and the dreaded blue screen of death. Fixing it initially required hands on keyboards to delete the file that introduced the logic error, impacting airlines and airports, public transportation, healthcare, financial services, and even media and broadcasting.
Fortunately, this event wasn’t a ransomware attack or another type of cyber incident (although threat actors were quick to use the outage to carry out malicious activity), but it still caused serious issues and an estimated $5.4 billion in financial losses for Fortune 500 firms alone. These black swan type events are rarely modeled by organizations, however, while the specific event may be challenging to predict, the likelihood of a significant event is not. It’s further evidence that considering the business impact of an event is vital to managing overall risk.
Indeed, by analyzing how the failure or loss of key dependencies would impact business, it’s possible to identify existing built-in resiliency from other capabilities that could facilitate normal operations. The reality is that if an organization’s ability to operate successfully relies on one or more single points of failure, identifying those points and finding alternative ways to enable operations can significantly reduce the business impact if a failure does occur.
These alternatives may be technological or non-technological. For example, a hospital may have fallback plans if their EMR goes down due to natural disaster or cyberattack. Do those fallback plans work in the case of a massive IT outage? For many hospitals, any of these events means turning to regular downtime procedures and paper back up options because waiting until a specific technology recovers from a failure could result in death. The key is to identify alternative enablers, discover how much they cost, and determine at what price point those investments are worthwhile to make.
Impact-Based CRQ Enables Better Decision-Making
CRQ enables decision making and allows a company to better prioritize and prepare for the unknown by helping your team to focus on critical assets, which enables you to prioritize security measures and optimal resource allocation. When organizations have a holistic understanding of the impact of business disruption, it becomes possible to make data-driven decisions about risk mitigation strategies and develop effective business continuity plans. An impact-based CRQ solution assigns a financial value to each decision, so it becomes easier for you to understand the costs and benefits of your cyber decisions. This approach ensures that your organization can take a hit, such as an adverse cyber event or an IT outage due to a service prhttps://axio.com/insights/understanding-the-impact-of-the-crowdstrike-event/ovider error, without impacting the ability of your organization to deliver value. To accurately quantify cyber risk, you must:
- Define risk scenarios, which are based on security scans, recent events, and real losses that focus on both the initial incident or intrusion and the full attack path. This will help you to identify critical business functions and assets.
- Calculate the potential impacts of various cyber incidents, including IT outages, to measure both the financial and tangible impacts to your organization and third parties.
- Communicate these results to the appropriate teams using business language so everyone can understand the impacts identified.
- Develop models that start with business impact and work backward to identify and mitigate risks based on which actions will make the biggest difference to business outcomes.
Increasing Resilience to Cyber Incidents & Other Outages
An impact-based CRQ solution can provide a cost-benefit analysis of risk and resilience, so there is a clearer understanding of what gaps exist and what security investments can help to close them — or what alternative enablers are needed to increase business resilience. By analyzing just five to ten diverse risk scenarios, it becomes easier for you to align all your constituencies, closing the gap between the C-Suite, the Board of Directors, and security leadership teams. The reality is that significant and “unexpected” events are inevitable; focusing on impact minimization is the best means possible to minimize (or even avoid) significant damage to the business. We’re delighted to be included in the Gartner Hype Cycle for Cyber-Risk Management 2024, and the increased emphasis on business impact solidifies the reality that CRQ isn’t hype but a business imperative.
If you’re interested in learning more about Axio’s cyber risk quantification methodology, designed to model low probability, high impact events with ease, reach out to us for a demo.