A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company’s reputation. As cybersecurity concerns grow and evolve, companies need to be prepared for the inevitable cyber-attacks with strong defenses to identify breaches and minimise damage. But how does leadership know where to invest in cybersecurity? How much is at risk? What should be prioritised? The answer lies in Cyber Risk Quantification (CRQ).
Cyber risk quantification uses industry leading and highly vetted probabilistic models to more accurately describe the cyber security and technology-based risks facing an organisation. Protiviti has been quantifying cyber risk since the beginning. Leveraging Subject Matter Experts (SME), such as business users, asset owners and key technical experts that may not have been previously included in cyber risk assessments; while taking data readily available to these SME’s, we are able to gather data more rapidly and make more accurate measurements for each factor within a given risk.
As a Founding Advisory Partner of the FAIR Institute, and a partner of RiskLens, the leading software as a service based on the FAIR model, the team at Protiviti is comprised of all levels from varying backgrounds, all specialising in quantifying risk. Typical engagements can range from a small scoped engagement, lasting a couple of days, all the way to a full programme transformation and even maintenance.
The FAIR methodology has changed the way cyber experts think and speak about risk in a threat environment where they are faced with uncertainty daily. The attendees came together with one common goal – to understand how to better evaluate the cyber risks their organisations are faced with and deliver meaningful and actionable reporting on these risks.
Last week, an important Securities and Exchange Commission (SEC) Interpretive Guidance, which we analysed in a Protiviti Flash Report, set the bar for corporate cybersecurity risk assessments. One particular aspect of the new guidance relating to how companies conduct risk assessments and report on cybersecurity risks is the need to understand “the range and magnitude of the financial impacts” of cyber risks and incidents.
As cybersecurity concerns grow, leadership is searching for the metrics and insights that matter. At the end of last year, Protiviti sponsored a Cyber Summit in Chicago with speakers from Northwestern Mutual, First Midwest Bank, Zebra Technologies, and ParkerGale Companies. We were also joined by Doug Hubbard, author of How to Measure Anything in Cybersecurity Risk. The talks centered on how cybersecurity metrics can be used to communicate effectively with the board.
Given the limits on time, attention and resources with which every cyber team must contend, risk assessment plays a critical role in helping set priorities and decide between options. Having a rigorous and accurate risk assessment process goes a long way in determining an organization’s cybersecurity performance.
Leveraging quantitative modeling empowers an organisation to fully understand the risks they are faced with in business terms. This allows for budgetary justification, re-prioritisation and full delivery and support at the highest levels. Implementing a Quantitative Risk Management Programme doesn’t need to be a long, tedious or heavy obstacle before truly gaining useful results. Components of a programme can be implemented at various stages to make the most impact for each organisation. Common projects to accomplish before completing a programme transformation are: