Axio’s CEO and Co-Founder, Scott Kannry, recently had the opportunity to co-host a webinar with guest Paul McKay, Research Director at Forrester. In this session, “CRQ – A Better and More Effective Way to Manage Risk,” Scott and Paul shared insights based on their experience in the cyber risk quantification space, touched on some key takeaways from Forrester’s 2022 CRQ report, “Transform Cyber Risk Management with Cyber Risk Quantification,” and offered their advice on jumpstarting a new or stale CRQ program within your organization.
Read on for some highlights, and check out the full webinar recording here.
Bridging the language barrier between technical and business
CISOs are constantly asking for more budget, but many don’t feel prepared with the right tools to demonstrate ROI to the CEO and board members, and outdated methods like heat maps won’t get them there. Forrester’s report, co-authored by Paul, aptly refers to CRQ as the “Rosetta Stone” for cybersecurity and business.
CRQ transforms cyber risk into the common language of money that CISOs can leverage to answer two basic questions from the CEO and board:
- Are we spending money in the right place?
- Are we spending that money wisely, and where is the ROI?
By bridging the language barrier between technical and business, CRQ has the potential to elevate the cybersecurity space by getting CISOs and other business decision-makers on the same level and enabling a more holistic understanding of where the greatest areas of risk are.
Helping business leaders justify cybersecurity investments
When asked how CRQ can help justify cyber investments, Scott points out that the question that weighs on every CEO and board member is “what is the chance that something will hit me next week, next month, next year, or even the next 5-10 years?” but traditional cyber risk management approaches like heat maps aren’t providing the right answers.
CRQ practitioners accept that cyber-attacks are never zero chance. Using real-life risk scenarios unique to your business, CRQ provides usable data points that are easily unraveled, like:
- How well your company does at managing risk relative to your areas of exposure
- How your company matches up when benchmarked against cyber frameworks and its peers
Additionally, when it comes to investing in cyber insurance, companies that can articulate their cybersecurity strategy under a CRQ lens are acknowledged by a variety of insurers and are rewarded with a better coverage outcome and lower premiums.
Overcoming common obstacles to a successful CRQ program
CRQ has yet to reach mainstream adoption, and many cyber leaders remain skeptical of its efficacy. Paul and Scott outline some common obstacles and offer advice on how to work through them, including:
- Lack of adequate scoping: Oftentimes, Paul notes, people start “too big” and easily become overwhelmed, so it’s important to get specific and start small. Focus on one particular decision and use that increased confidence you get from its successful outcome.
- Lack of understanding of what people are trying to do: I.e., risk taxonomy. Cybersecurity’s language is different from how the rest of the business might talk about risk. CRQ keeps that language consistent and keeps everyone on the same page.
CRQ is a decision-making tool, so focus on a smaller pilot project with a clear and actionable outcome. This will give you a chance to demonstrate time-to-value and provide defensible results.
“You don’t always have to be right – but you have to be reasonably informed and reasonably act.”
CRQ provides the pathway to defend your reputation as a security leader because of its ability to help you identify and communicate where the greatest areas of risk are (and better prioritize them). Use your CRQ program to elevate the dialogue around cybersecurity and empower executives to understand it.
The time is now to start your CRQ journey. Elevate your profession and provide the protection that’s more important now than ever before. Whether you do it now or in the future, CRQ will become the de facto standard for how boards expect to consume information on cyber risk.
For the whole conversation and even more thoughtful takeaways, view the full webinar here.