Security Global Forum

Security Global Forum

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Security solutions.

 View Only

Operationalizing Risk Quantification for Smarter Security

By Kaelyn Botshekan posted Wed October 25, 2023 10:47 AM

  

Leading organizations are taking cyber risk quantification from the academic to the operational to make more informed risk and investment decisions

Organizations constantly face new tactics from cybercriminals who aim to target and compromise their most valuable assets. Yet, despite evolving techniques, many security leaders still rely on subjective terms such as low, medium, and high to communicate and manage cyber risk.   These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage, and communicate cyber risks, leaving executives and board members uninformed and ill-prepared to manage the organization effectively.

At the same time, executives are feeling increasing pressure to improve cybersecurity programs with the rise of newly adopted U.S. Securities and Exchange Commission (SEC) regulations, requiring publicly traded companies to rapidly disclose cyberattacks and material information about their cybersecurity risk management, strategy, and governance. Cyber Risk Quantification (CRQ) has emerged as the most effective way to maximize cyber risk management programs by translating cyber risk into specific financial impacts. According to Forrester Research, “CRQ will fundamentally revolutionize the way that security leaders engage with boards and executives to discuss cybersecurity” (McKay, 2022). 

1.  Cyber Risk Reporting to Executives and Boards of Directors

News headlines of cyber attacks and zero-day vulnerability exploits have become typical conversation topics in board rooms, causing cyber risk to be one of the top 5 risks facing organizations. In today's world, it is essential for security leaders to communicate cyber risks to their boards in a clear, concise, and understandable way. Often, cybersecurity reports are either filled with too many technical details hindering executives from making well-informed decisions and accurately assessing the cybersecurity risk landscape. This can lead to confusion and subjective decision-making.

By operationalizing CRQ, security leaders can provide executive-level reporting that communicates the financial impacts of cyber attacks targeting vital business assets, leading to disruptions in operations, system outages, reduced production, and costs associated with recovery. 

Put simply, cyber risk is business risk and should be communicated in business terms. Using the outputs of a CRQ program, leaders can drive alignment with their boards and executive teams and improve their overall risk reduction strategies and investments. 

2. Security Spend Optimization

Security executives are pressured to increase protection measures and reduce risk most cost-effectively, considering economic constraints and limited budgets. However, traditional decision-making methods often rely on subjective information, making it challenging to objectively justify previous or upcoming security investments. Operationalizing CRQ breathes objectivity into the decision-making process. It enables organizations to optimize cybersecurity programs and tool investments by prioritizing spending based on financial risk reduction and maximizing return on investment (ROI).  

Without first quantifying the risks in the context of the current security control posture as a baseline, organizations cannot accurately quantify the effectiveness of their security initiatives or determine their next best investment. Understanding the organization's financial risk exposure allows security leaders to focus on areas with the most significant risk reduction opportunities and prioritize security initiatives that align with the business to better mitigate the most significant risks facing the business.

3. Enterprise Risk Program Development

To provide decision makers with an overall organizational risk profile, cyber risk must be fully integrated into the overall enterprise risk management (ERM) program. But this is only possible by understanding the financial implications of cyber threats so that organizations can align their risk mitigation efforts with business objectives and enhance overall organizational resilience.

Historically, many organizations have developed independent risk management procedures, including Enterprise Risk Management, Cyber Security, Operational Risk, Compliance and IT Risk. CRQ is becoming a best practice among leading organizations to develop and operate effective risk management programs, re-vamp risk scoring, and integrate enterprise risk management procedures. Leading organizations that have leveraged CRQ to improve their management processes have developed a single, integrated operating model for risk management, This allows for better analytics, identifying and tracking trends across lines of business or functional areas, and systemic risks to the organization.  While this requires a fresh approach to thinking about risk management, incorporating several risk management functions, the result is a standardized, consistent, and well-understood risk identification, analysis, and reporting process. CRQ provides the organization with a singular definition of risk and removes any uncertainty about how to report risks to leadership and the Board.  By reporting risks in terms of business impact and financial exposure, we remove the subjective interpretations that rely on nominal scales or color codes.

As one Chief Risk Officer recently shared, “We noted that many risks stemming from different lines of business are similar in nature and share common root causes. Using a singular risk management evaluation process allows us to identify expected impacts quickly and, more importantly, leverage proven mitigation approaches to address those risks.” As companies continue to mature their cyber risk capabilities by adopting CRQ, it is advisable that they consider incorporating CRQ into other risk functions and work towards adopting an integrated risk management operating model.

Getting Started with Cyber Risk Quantification 

Whether you are trying to stay ahead of regulations, reacting to a cyber event, or being proactive; adopting cyber risk quantification can help your organization improve cybersecurity reporting, optimize budgets, create risk-based security roadmaps, financially prioritize vulnerabilities, and enhance enterprise risk management. By doing so, security leaders enable their executives and board members to make well-informed, risk-based, financially responsible decisions.

Although it may seem daunting, organizations can take simple steps to progress on this journey. We recommend starting small, picking one or two use cases that best align with your organization’s security goals, and integrating CRQ into business processes that drive actionable results.

If you would like to learn more, feel free to contact ThreatConnect or IBM Consulting Security Services, and we can assist you in operationalizing cyber risk quantification for your organization.

Join this webinar on November 8, 2023, for a deeper dive on these real-world CRQ use cases.



1 comment
23 views

Permalink

https://community.ibm.com/community/user/blogs/kaelyn-botshekan/2023/10/25/operationalizing-risk-quantification-for-smarter-s

Comments

Jose Arias CISSP, ITIL, DORA
Thu November 30, 2023 08:11 AM

There is a critical need for Cyber Risk Quantification (CRQ) in modern business practices. By translating cyber risks into quantifiable financial impacts, organizations can make more informed decisions about risk management and investment. This shift from subjective assessments to a more objective, integrated approach is essential for effectively navigating the increasingly complex cybersecurity landscape.