For too many organisations, the early approach to cyber risk quantification (CRQ) has been too manual of a process, takes too long, produces questionable results, and has failed to gain the support of business leadership. However, this does not mean that cyber risk quantification isn’t a critically important component of any effective cyber security strategy.
The CRQ journey is no longer a year of organisational disruption and massive upfront investment. The proposition for adopting CRQ to chief information security officers (CISOs) can’t be to hire more experts, add more complexity, spend hundreds of thousands of pounds on professional services, and spend a year or more building a system. That’s just an untenable position for most CISOs.
Adopting solutions that are designed to drive complexity, time and cost out of the CRQ process is vital. Having a decision support system that operates in real-time rather than waiting for lengthy interviews, training and manual reviews will become key to ensuring safety. It must be supported by a threat intelligence platform (TIP) that injects real-world threat actor analysis into risk models and a security orchestration, automation and response (SOAR) platform that harnesses the newfound ‘north star’ understanding of where to focus. This turns intelligence into action throughout your existing security infrastructure.
Operating in real-time
Attackers don’t sleep. Nor does a business and its IT infrastructure. With all three functions operating in a hyperdynamic manner, it is not sufficient to take snapshots or rely on human calculations. Cyber risk quantification needs to become a decision support system that operates in real-time rather than waiting for lengthy interviews, training and manual reviews. This requires automation.
Automated cyber risk quantification is now a reality. Businesses should move quickly to understand their actual business risks better and prioritise mitigation efforts to protect critical business processes, applications, and data. The requirement to automate the quantitative process, to map to FAIR but make it better, could not be more urgent. Ultimately, automation will boost three specific areas for your cyber team, including proactively modelling and predicting risk, establishing a baseline, mitigating and monitoring for changes and recommending and driving smart action.
Identify and quantify at the board level
Board-level discussions about cyber risk are increasing the need to identify and quantify cyber risk exposure. Being able to track cyber financial risk over time, understand the impact of budget decisions and ultimately justify spending is now driving business decisions on which risks to tolerate, treat or transfer.
While step one is to understand your organisation’s cyber risk exposure in financial terms, the next thing an organisation must think about is how to mitigate that risk. It’s imperative to adopt risk quantification and model many different types of attackers and attacks that may infiltrate an organisation, its controls, vulnerable data and critical applications. Simultaneously, having a powerful reporting capability can then highlight the risks that are potentially most financially impactful to an organisation. All of this analysis is then put in a report that business leaders and board members can understand.
A Clear Picture
Having risk quantification that is transparent and computes risk based on accurate data is the key to ensuring an organisation can mitigate future cyber attacks. The capabilities of risk quantification give you a clear picture of inherent and residual risk in a dynamic fashion. Not only is the threat landscape and the parts of it that are relevant to your business changing, but the controls, applications, endpoints, and type of data present in your environment are changing as well. Risk quantification enables you to apply these changes instantaneously to your models, allowing the measurement of cyber risk to move beyond point-in-time assessments and become programmatic.