Time is Not on Your Side: Why Every CISO needs a Cyber Risk Quantification Strategy before It’s Too Late

Published by Axio

 

Cyber Risk Quantification needs to be the strategy driving your cybersecurity roadmap and priorities starting now. Breaches are getting worse, ransomware can cripple your business, and the financial impacts can last years. By looking at the financial impacts of recent high-profile breaches such as Colonial Pipeline or SolarWinds, we can plainly see that the traditional methods of risk assessment are no longer effective; measures such as compliance mandates and maturity models have a purpose but solely relying on them is no longer sufficient to render the best possible business decisions around cyber security. Relying solely on the traditional qualitative approaches, security scoring, or stop light methods in today’s climate will continue to leave you exposed. Making better, data-driven decisions to avoid these costly attacks has to be our focus, and this is where Axio’s Cyber Risk Quantification can make the difference.

This blog post will walk you through what you need to know and how to get started.

 

What is Cyber Risk Quantification (CRQ) and why do I need it? 

Put simply, Cyber Risk Quantification (CRQ) is the risk-management approach security, and business leaders take to understand their cyber risk in dollar terms. It helps us answer questions like “How much will ransomware cost me?” and “What will be the financial impact of an attacker stealing my customer’s personally identifiable information (PII)?”  This helps drive better cyber prioritization, decision-making, spending optimization, and overall threat management. The cyber risk quantification process must be rapid and the results transparent and easily understood by non-technical stakeholders.

In today’s cyberattack landscape, it is essential for business leaders to get an understanding of financial exposure because only then can the steps be taken to manage risks — either through investment in cyber initiatives and controls or through risk transfer (cyber insurance). For example, CRQ helps a security team decide between security trade-offs, like whether to implement an endpoint detection and response (EDR) solution or a privileged access management product (PAM) if only limited funds are available. (Let’s hope that you have enough resources for both!)

Like any cyber security project, the primary goal in Cyber Risk Quantification is to empower you to guard business assets and secure sensitive information; without a quantitative understanding of your risk landscape, it is not possible to make informed decisions about where and when investments will have the greatest impact.

While a control-based qualitative approach to risk analysis has become the norm, it still leaves too many dangerous gaps. Take a look at the  Colonial Pipeline’s CEO’s response to the devastating ransomware attack that took down the fuel supply for the entire East Coast in the U.S. He defends their security measures in front of the Senate Homeland Security and Governmental Affairs Committee, pointing out that they had invested “over $200M in IT systems over the past five years,” but when further pressed for details, he was unable to answer any specifics.

The IT Software and Services provider SolarWinds also experienced a high-profile and hugely destructive breach in December of 2021. This breach affected thousands of customers and incurred lasting damage to the cyber security systems of America’s most sensitive intelligence and military institutions, not to mention hospitals, banks, school districts, and everyone else using the Orion software. Like the Colonial Pipeline breach, the SolarWinds breach was allowed to happen because of a clear text password, solarwinds123, in the code update repo for its software. The issue we’re seeing is that CEOs will spend large sums on security and IT infrastructure but are not taking care of the basics. Both companies are now spending heavily on remediation, but the larger question remains Can CEOs be confident that money spent on remediation will be prioritized against the largest risks that can cause the most significant financial disruption to the business? 

In both examples, we see that CEOs ARE willing to spend money on cybersecurity (and brag about this spending after an incident occurs). Still, it’s very clear that this spending isn’t being done properly, and their focus is usually not is not in the right areas. Increasing spending on cyber security may or may not be a net positive for the company and is usually something that follows a ransomware attack. More cybersecurity products, including more cloud-based products, also expand the corporate attack surface and introduce more risk vectors to the organization. The true measure is whether the money is being prioritized correctly.

So how can you ensure your business IS focusing spending in the right areas? Cyber Risk Quantification by looking at scenarios that reflect real-life challenges to your specific industry or business. Your objectives should not only focus on risk reduction but also spending optimization. To optimize spending and resources, risk assessments need to be specific to your organization. CRQ looks at the gaps left by qualitative risk assessments and addresses them using a scenario-based approach. By adopting a scenario-based approach decision-makers can stack rank risks and focus mitigation efforts allowing for an understanding of the business impacts potential events represent and an informed decision on how best to respond to those risks, either through acceptance, insurance, or mitigation projects.

 

Who benefits from CRQ and what are those benefits? 

Getting executive leadership onboard with CRQ initiatives can be a challenge for CISOs and Risk Leaders, but based on what we have seen, its demonstrably clear that this is the best approach for planning a cybersecurity roadmap, as it enables an examination of cyber priorities through the lens of the business. Boards of Directors, for example, have a duty to understand the threat and risk environment of the organization, underscoring their need to have much better visibility and quarterly reporting on how the security program is faring.

Quantification is a prerequisite for effective risk management; it allows you to identify specific risks that your business may be exposed to and then assess what that means in terms of impact on your business. By considering the unique financial objectives of your business, you can better understand operational risk and associated costs. Quantified risks and costs can be presented to and easily understood by board members and executive leadership, making them better prepared to understand the biggest risks to the business and security spend ROI.

CISOs additionally benefit from using CRQ because it gives them and their security teams a better way to plan their security roadmap. As ISACA notes, CISO “burnout” is real, and we’ve seen many CISOs become stuck operating in a highly reactive cyber defense environment. Large projects, like a company-wide risk assessment, will always be daunting. Fortunately, Cyber Risk Quantification is accessible. Applying CRQ methodology does not require a monumental, time-consuming rollout. For example, CISOs can start by looking at things like a specific pain point or expected ROI from a project. Security Teams can start at a micro-level by identifying uses cases that will help them solve a problem or answer a question for the organization. By quantifying your risk and putting it into the context of your business, you can build a program that aligns with the business roadmap.

 

How do I apply CRQ to real-life scenarios? 

Less visibility leads to higher risk. Once you “plugin” data points specific to your organization, Axio’s approach to measurement and interpretation of that data makes it actionable. Using CRQ to measure risk leads to holistic risk management with better reporting and visibility. In other words, CRQ reduces uncertainty. Qualitative measurements attempt to do this, but CRQ makes it more valuable and effective.  

 

As organizations and security teams continue to pinpoint new use cases for CRQ, the data that we put in, and the way it’s interpreted, will continue to evolve. We can be certain that attacks and data breaches will continue to increase in number and cause greater damage, but with CRQ as the future of risk assessment, we know it can only get more accurate and provide more value. Axio’s Cyber Risk Quantification provides the clarity and visibility around cyber risk that businesses need to prioritize critical cyber security decisions.