Why leaders need cyber risk quantification to survive
Risk is all around us. Driving down the road in our car or eating certain foods could be considered risks we assess on a daily basis. We just don’t notice we’re making those assessments because they’re subconscious. Most of the time, we don’t actively quantify a risk unless it poses clear and present danger. For example, you might avoid walking down a dark alley at night because the potential threat is clear to you -- but eating a Big Mac or Whopper frequently is likely just as threatening to your health, you just won’t come face-to-face with those threats until years down the road.
Business leaders approach risk within their company the same way. For example, a clear and present danger with Microsoft Exchange’s zero-day vulnerability led companies to quickly jump on patches that would safeguard their business from harm. But, every day, we overlook the inherent risks in our employee base, IP, supply chain and more.
So, how do we find these hidden risks within our business and how do we quantify them?
The case for cyber risk quantification (CRQ)
Businesses are surrounded by cyber threats. And the last year has only increased this risk with more and more digital services entering the market. Unfortunately, threats like ransomware, insider threats and more can be extremely costly, with recent IBM research showing the average breach costing $3.6 million. Colonial Pipeline is reported to have paid $5M in ransomware recently. The tough part is, until they happen, these types of threats are much harder to quantify than a business cost like customer acquisition.
Enter: cyber risk quantification (CRQ). CRQ allows business leaders to view cyber risk through a quantifiable lens as it tracks real metrics -- both looking at the monetary cost of a potential threat but at the larger impact it might have on their business in areas like employee engagement, brand reputation and customer happiness. Looking at cyber risk this way allows leaders to make smarter decisions about cybersecurity investments.
How to get started with CRQ
While extremely important, CRQ can also be extremely time-consuming when done manually. Because CRQ isn’t a one-time project, it also requires a team dedicated to maintaining the data. But with an automated CRQ platform, businesses can create an always-on CRQ feedback loop.
Here’s how to implement CRQ in three easy actions:
Action 1: Set a goal
Before you can find success with CRQ, you must first define what that success looks like. One way to do so is to identify a (or a few) security frameworks that best fit your organization -- for example, ISO 27002, NIST Cybersecurity Framework (CSF) or NIST 800-53. This framework can give you a point of reference for the controls you must set in place to maintain compliance.
Action 2: Complete a security stack audit
Just because you have a security stack in place doesn’t mean it’s the right security stack. Before you can identify the cybersecurity blind spots putting your business at risk, you must first compare your stack to the security framework(s) you previously designated as your goal. Compare the capabilities of both your products and your vendors against the controls you need in place to reach compliance with your goal framework. Are there overlaps? Are there gaps? Identifying these blind spots will not only allow you to spot where there might be hidden vulnerabilities but will also help you reallocate budget where you might be overspending on overlapping capabilities.
Action 3: Set metrics
As you perform actions 1 and 2, you’ll be building the foundation for CRQ. Action 3 is where true CRQ comes into play. Now that you’re able to quantify your technical risk through the lens of your goal security framework, you must translate that technical risk into business metrics that help quantify business risk. A few examples of these business metrics are third-party partners, customer experience, brand reputation or data integrity. And if you’re an international company, you must also think about things like geopolitical risk.
Once you determine the business metrics that make the most sense for your business, you must score them by rating your compliance with the security controls associated with each. This will allow you to build a trend analysis that spotlights gaps in your security controls and helps you make smart decisions around where to invest in cybersecurity.
CRQ isn’t just a project, it’s a continuous learning cycle that allows you to regularly quantify your cyber risks to protect your business against the unknown. It’s an integral part of not only technical decisions but larger business decisions that could make or break the success of your organization.
Photo Credit: Olivier Le Moal / Shutterstock
Sean McDermott is the Founder & CEO of RedMonocle, the leading CRQ platform for quantifying cybersecurity risk. He is also the President and Founder of Windward Consulting and the Lead Researcher at Helix Market Research. Sean previously founded RealOps, Inc., the pioneer in enterprise management Run Book Automation solutions which BMC acquired. Sean's curiosity for advancing technology began at his first job as a network engineer/architect installing and managing the first private internet for the U.S. Department of Justice, at a time when the internet was taking off and has continued to be on the cutting edge of technology. He advocates for mission-driven capitalism and shares how other entrepreneurs can align passion and action on his blog, Wheels up World. Sean founded the Alzheimer's Caregiver Alliance, whose mission is to support Alzheimer's caregivers.