Last week, Axions Daniel Brown, Mike Woodward and I attended SiRAcon at the Boston Federal Reserve building. We left feeling inspired and eager to apply some of what we learned back at Axio. One of the best aspects of the conference was hearing industry experts discuss topics that align with our recent work. The presentations flowed naturally, making it exciting to revisit my notes and connect the dots. Let’s dive into the key takeaways!
Understanding the business to address its risks
One of the talks opened up with a slide titled “We are not facing a cyber problem; we’re facing a risk-based problem.” While cybersecurity teams provide insights on specific cyber risks and mitigation strategies, these efforts are deeply interconnected with other internal departments. Risk extends beyond IT and can involve:
- Revenue-generating business lines
- Liabilities that could result in legal actions or other fines & penalties
- Technical investments needed to mitigate risks that caused an event
Security teams need input from other departments to effectively address these broader risks.
Security is the absence of unacceptable risk
The same presentation introduced a compelling perspective: security is about eliminating unacceptable risks. This raises the critical question: how do you define an unacceptable risk? Much like materiality, it varies by organization and is guided by risk tolerance thresholds. For instance, if your company cannot afford a $5 million loss, that figure becomes your benchmark. Cyber Risk Quantification (CRQ) helps categorize quantified scenarios as acceptable or unacceptable based on this threshold, guiding strategies to reduce risks through security controls, insurance, or avoidance measures.
Inertia is the number one cause of CRQ burnout
CRQ’s value lies in helping define unacceptable risks, but many companies struggle to even start. Many tools and vendors require significant upfront investment, discouraging early adoption. To overcome this, organizations should be empowered to start where they are, even if that means quantifying risks in Excel or starting from scratch. Properly scoped scenarios can be built and refined over time without waiting for milestones.
Collecting and sharing cyber data is only a start; it needs to drive business decisions
Quantifying risks because “my boss told me to” or “our competitors are doing it” are weak justifications. To drive successful outcomes and secure stakeholder buy-in, a business case must be built that demonstrates how CRQ influences decision-making. CRQ stands apart because it requires collaboration across teams to provide data that guides business decisions. Once risks are quantified, the key question becomes: How will this data inform our actions? Risk acceptance often comes down to financial analysis—deciding whether to invest in solutions like MFA or increase cyber insurance coverage. The answers lie in the data CRQ provides.
Insights shared by Axio at SiIRAcon
Axions gained valuable insights from the conference, but we also contributed to the conversation. Mike Woodward presented on the parallels between war gaming and cyber risk quantification, highlighting how successful military leaders prepare for worst-case scenarios—a mindset equally relevant to cybersecurity. Whether it’s military leaders or cybersecurity teams, you have to expect the worst if you want to be prepared for it.
On another note, Daniel and myself gave our own talk on the SEC’s cybersecurity disclosure rules: a year in review followed by some forward-looking observations. Organizations have struggled to follow the rules so far, but CRQ has the ability to really change the future of materiality assessments and reporting. Daniel and I discussed the SEC’s cybersecurity disclosure rules, reviewing the past year and looking ahead. We explored how CRQ can revolutionize materiality assessments and compliance reporting.
Let’s keep the conversation going!
SiRAcon was an exciting event, and while we’ve summarized some key points here, there’s so much more to explore. If you’re interested in learning more about our CRQ approach, schedule time to connect with one of our experts.
Get Started