The following is a webinar takeaways blog that featured David White, Axio President and Yousef Ghazi-Tabatabai, Director PwC UK. Moderation provided by Jennifer Moll, VP of Strategy, Axio
Embark on your CRQ journey while avoiding drifting and wasted time
We recently hosted a hands-on webinar exploring why Cyber Risk Quantification (CRQ) is critical in today’s business environment. The notion of how to properly manage cyber risks is changing, with security leaders moving away from simplistic cyber risk reports and pursuing more meaningful financial analysis. When done pragmatically, CRQ allows you to prioritize projects, justify budgets, and ease into insurance renewal decisions.
High-impact cyber-attacks are continuing to make front-page headlines every day. The Securities and Exchange Commission recently passed cybersecurity disclosure rules in response to this increased threat landscape. Organizations should have frameworks and methodologies in place now to respond within four days, including quantification for materiality disclosures. Clients come to Axio for short and sharp risk assessments as well as for longer-term capability building as they progress in their cyber risk management maturity. The thread that holds both these objectives together is a unified framework across teams to understand cyber risks in an actionable way.
Below are 6 important takeaways from our webinar presentation.
Make your CRQ journey effortless by leveraging these six considerations
1. Narrow your scope
This prevents you from drifting in model design. Focus on one scenario that entails a threat vector you are particularly worried about, i.e. ransomware. Instead, broaden different types of data input sources to get started such as your current state of controls, threat intelligence feeds, and direct human input from those who have experienced non-cyber analogous events before (such as legal and financial impacts).
2. Do consensus building via ranking
Agreement on critical risks requires many stakeholders, and this is where direct human input plays a crucial role, as expressed in the previous takeaway. Research shows domain experts are horrible at estimating values and probabilities but easily rank relative likelihood. Effective cyber risk quantification requires iteration and successive discovery. Ranking helps you get there faster with less doubt and more constructive insights.
3. Focus on asset restriction
First, determine which assets fall into your scope. Boiling the ocean and modeling every asset is not a true risk-based approach to reducing your cyber exposure.
4. Make sure your data is defensible
Use data ranges instead of precise data as you are never going to achieve perfect accuracy and probability. There are many methods of cyber risk quantification that focus on honing in on the frequency of events, which often leads to reporting delays as you try to dial in and calibrate your calculation. Use industry-leading research from think tanks and other credible sources. But your defensibility is better addressed through the transparency of showing every calculation in your report. When you can get to the very source of inputs to determine an expected loss, you can rest assured your inquisitor will trust your methodology.
5. Don’t forget the importance of maintaining your maturity measurement
A commercial platform makes the maintenance of your cybersecurity maturity measurement practical. SEC’s new rules will reinforce a quarterly reporting rhythm. Organizations must regularly refresh quantified scenarios for the board.
6. Keep your insurance portfolio in the equation
Premium reductions help sell a CRQ program to skeptics. Quantification analysis can also help insurance buyers demonstrate the strength of their risk management capability to insurers.
For more guidance, watch the full webinar as we dive into the details
The takeaways above are only a very short preview of the discussion we had. If you would like to dive deeper, you can watch the recorded webinar, which covers these critical topics:
- How to get started with CRQ and not get overwhelmed by the complexity trap of legacy approaches.
- How organizations are successful with CRQ – including better collaboration, financial reporting, and a stronger insurance portfolio against cyber threats.
- Pitfalls to avoid and common obstacles on the CRQ journey.
- Tangible lessons learned for you to take back to your organization.
In addition, if you would like to learn more about cyber risk quantification and its role in enterprise risk management, you can download our eBook covering the topic in more detail.