Cyber risk quantification (CRQ) has earned a bad reputation with many CISOs. Delays and drama suffered by using antiquated legacy methods have resulted in skepticism and doubt about its necessity. Many cybersecurity professionals tell us communicating cybersecurity in dollars and cents is just not mainstream yet. Yet understanding the financial consequences of cybersecurity events is no longer optional. The term “cyber risk quantification” is becoming prominent in many executive-level conversations centered around aligning business risk reduction with cybersecurity initiatives.
As a first step, we would like to dispel a few common objections to adopting CRQ we hear from CISOs. The good news is there is a new way to quantify cyber risk—and it will not break the bank or your brain.
Four Common CRQ Objections We Hear from CISOs
CRQ Objection 1: It emphasizes calculating granular probabilities, leading to the inability to make expedient decisions.
Not if you focus on impact. Low-frequency, high-impact events should be prioritized when quantifying your cyber scenarios, as they are the ones that can cripple your business. These events need to be understood in more detail and require more investigation than common scenarios for which you have data readily available.
CRQ Objection 2: It is not transparent, and I have trouble understanding how the number was derived.
Not if you use simple arithmetic that any grade-schooler can understand. Any cybersecurity vendor hiding their cyber risk calculation inside a black box should raise your guard. Cyber risk quantification should be easy enough to perform so that any security team member can use readily available formulas to understand specific losses incurred due to a cyber scenario.
CRQ Objection 3: It requires a group of Ph.D. consultants to live in my security organization for years.
Anyone can learn how to quantify cyber scenarios in settings like a two-day on-site workshop or digital training exercise and produce easy-to-understand board reporting. Six-month proof of concept sessions can be overwhelming, especially if they result in cost overruns before you even get to a meaningful output. In addition, complete dependence on external parties to adjust calculations and provide reporting is not feasible as the cyber-risk landscape changes. The new way to do cyber risk quantification makes you self-sufficient and independent from a SWAT team of Ph.D. consultants.
CRQ Objection 4: It is not objective, and I will not be able to defend the methodology to non-cyber folks.
Not when you can be part of the risk calculation from day one. Any cybersecurity professional can learn how to model risks in simple and easy-to-understand steps. And when you know how the number was derived, you have confidence in defending it, confidence in asking for a larger cybersecurity budget, and confidence in clearly expressing strategic priorities to other decision-makers.
CRQ can be an easily manageable activity that takes days to learn and scale as your cybersecurity team grows. If you would like to learn more about the new way to do Cyber Risk Quantification, we welcome you to schedule a demo to see Axio360 in action.