Cyberrisk quantification and how to measure it [Q&A]
Enterprises face an increasing range of cybersecurity risk, but quantifying and managing those risks can be a difficult task.
Recent Gartner research shows that more companies are trying to roll out cyber risk quantification (CRQ) in order to get a greater understanding of their risk profile.
To find out more we spoke to Richard Seiersen, chief risk technology officer at Qualys and the author of How to Measure Anything in Security Risk.
BN: Why is risk management increasing in priority for CISOs and security teams this year?
RS: I assume it's due to capital constraints and increased digital complexity. A better question is why hasn't risk management always been the priority? Perhaps it's a misunderstanding of what risk (and risk management) actually means. In our book we say, "Risk is a state of uncertainty where some of the possibilities lead to loss, catastrophe or some other undesirable outcome." And risk management becomes, "The mitigation and or transfer of the most plausible of those losses that impact business objectives." Perhaps this tougher environment is forcing CISOs to do what they should have been doing all along?
BN: How do these teams succeed around implementing risk management projects? What holds these projects back or leads to them not succeeding?
RS: Failure stems from treating risk management as a project or capability. It's not. Risk management is a practice. And that practice has at its root the measurement of uncertainty (or conversely your certainty). You are uncertain about what you stand to lose. You're also uncertain if the return on mitigating (or transferring) loss is worth it relative to other opportunities. Risk management helps you decide in a consistent, discriminating and relatively (mathematically) unambiguous manner.
BN: Are CISOs happy to look at metrics and risk? Do they understand the challenges that they have to meet in putting these together?
RS: I don't know about CISOs' moods on measurement. All I know is that any serious domain of practices must pass through the sieve of measurement to be taken seriously. Look at any STEM domain. If a given domain does not make the measurement journey then it may be an indication that it's not very serious. But we know that security is a serious domain due to what we stand to lose when it's done poorly. Bottom line, CISOs must lead with measuring risk so it can be managed as defined above. Those CISOs who look at measurement as a luxury would be like the civil engineer making bridges doing likewise -- not long in the job and likely enabling disaster in the process.
BN: What is the one lesson that you think CISOs have to learn around managing risk?
RS: It is the first and most important activity a CISO undertakes. Everything else is in service of the efficient management of business impacting risk.
BN: What should those that want to become security leaders know about this? Where should they look to learn about this before they sit in the CISO hot seat?
RS: There is so much to learn. But learning fails if your point of view is misdirected. So, my recommendation would be to study these three quotes for hours on end:
- A problem well defined is a problem half solved. -- Kettering
- Tactics without strategy is the noise before defeat. -- Sun Tzu
- Strategy is the economy of forces. -- Clausewitz
And from there, consider reading How To Measure Anything In Cybersecurity Risk. But that's a shameless plug!
Image Credit: Nicoelnino/Dreamstime.com