Business decisions should be based on well calculated risk – and today most are. But to make informed decisions, leaders depend on timely, high-quality data, including economic forecasts, competitor analysis, sales data, buying patterns and more. They need to interpret all this data, cut out the noise and, in a way, try to predict the future.

What will the world want and need in the short and long term that the business can provide? What problems can the business offer solutions to? Leaders need to calculate the costs to design, build and provide these solutions, whether they already have adequate numbers of employees with the right skills or need to recruit extra talented people with different skills and experience. They need to consider the outcomes of making the best decisions and the consequences if they don’t. This is all incredibly complex. And it’s extremely important for leaders to get it right.

However, cyber risk is a very different type of challenge. It’s a totally different way of thinking to trying to make the organisation a profit. The role of Chief Information Security Officer (CISO) is a huge responsibility and one what can weigh heavy on the shoulders. Many CISOs feel pressured and isolated, and, yes, they really do lie awake at night worrying about cyber threats and if the next cyber-attack will break through their defences and cause harm to their organisation.

In contrast, almost every other employee is likely to be unaware of the damage a single cyber incident could cause at any time. In a worst-case scenario, the most severe cyber-attack could bring an organisation to its knees. In short, cyber risk is over-simplified in most organisations and most industries.

The pretence of objectivity

Ever since the concept of cyber security risk, security teams have been unable to accurately quantify cyber risk in a way they can communicate clearly, with supporting evidence, to the business or the board of directors. This has left a huge gap in the understanding between the security team and the rest of the business. So, until now, security teams have resorted to any other subjective data they can get their hands on to get their points across as best they can. Try as they might, this approach lacks accuracy and hard evidence.

While some do a great job of making the case for a well-researched study, in fact it’s all quite subjective and biased. They can skew such data to whatever message they want to make, rather than take a hard scientific approach. This can only lead to ill-informed decisions and suboptimal actions.

As soon as a sharp-eyed board member starts asking the right questions, everything can fall apart. How are risks rated and how distinctive are they? Is a risk rated as 4/10 half as risky as an 8/10 risk? Is the whole system logical and robust when you add new risks?

And so, in effect, this is all educated guess work. Hardly a strong method of assessing serious risks to an organisation that provides services or products for its customers and jobs for its employees.

In over 25 years of working in security, I still haven’t found an organisation in the private, public or not-for-profit sectors that is confident they have put in place a creditable cyber risk programme. Business leaders should demand much better for something that is so fundamentally important.

Embedding CRQ into business strategy

Cyber Risk Quantification (CRQ) is an established method for objectively determining the exposure to cyber risk and the potential consequences of a cyber security event in terms relevant to the business. There are multiple models for implementing CRQ, but nearly all of them take into account some common elements. These include crucial assets, probable scenarios, threat environment and landscape, potential business loss impact, time and expense required for mitigation, possible regulatory fines and penalties, and damage to business reputation.

Today, only a handful of regulated industries make CRQ mandatory, but I believe this list will grow over time. Far too many companies have no CRQ programme in place at all. The few that do struggle to use it to drive business action. Forrester has called CRQ a “nascent” market but one that “will fundamentally revolutionize the way that security leaders engage with boards and executives to discuss cybersecurity.”

I totally agree. In my view, CRQ should be adopted as a mandatory strategy to protect the organisation’s assets, it’s employees and customers, and its reputation. CRQ shouldn’t be viewed as a hassle and a cost. It’s a business enabler and accelerator. Organisations that master CRQ will gain genuine competitive advantages. Here’s why:

1. CRQ aligns cyber security with other business risks. By establishing a common language and structure for discussing risk with universally recognised metrics, it ensures business leaders begin their discussions about possible strategies and alternatives on an equal footing.
2. CRQ enhances the robustness of an organisation. Conventional risk models, which are qualitative, fall short and leave organisations vulnerable. CRQ offers a blueprint for bolstering resilience that transcends subjective indicators, offering objective evaluations and practical insights.
3. CRQ can guide capital investment decisions. Every investment, not just those related to cyber security, influences risk. An efficient CRQ programme can assist in determining how to allocate risk capital and measure the return on investment.
4. CRQ enables you to accurately quantify the risk of any potential move and make better informed decisions. It facilitates informed risk-taking. A no-risk strategy is not viable as it implies no action. Businesses must innovate and adapt to expand, which necessitates accepting some level of risk. CRQ allows you to precisely quantify the risk of any potential action and make better-informed decisions.
5. CRQ can aid in reducing cyber insurance premiums. With the rising frequency and scale of attacks, cyber security insurance costs are soaring. CRQ can assist organisations in accurately defining their risk to negotiate lower premiums based on solid evidence.
6. CRQ can serve as a competitive edge. Cyber security has emerged as an essential business infrastructure, and if your competitors can make decisions based on data, you risk falling behind. CRQ is vital for both safeguarding the organisation and seizing strategic opportunities.
7. CRQ facilitates prompt decision-making. It is crucial in today’s fast-paced world to have the insights needed to act swiftly. That’s why CRQ should be a continuous process, ensuring business leaders always have real-time analysis at their fingertips. We anticipate a future where CRQ becomes a fully automated process that instantly reports any business environment change as a quantifiable risk, enabling on-demand scenario analysis for decision-making guidance.

Ready to get started?

Hopefully you agree that CRQ is well worth the time and effort. Here are a few key points to think about if you’re ready to push ahead with it:

• Bear in mind that the purpose of CRQ is to refine your risk management, not to introduce drastic changes. The procedures and practices you introduce should be carried out in a steady, step-by-step fashion, not a complete overhaul. This allows you to understand how each modification affects your risk.
• CRQ is as much a technological venture as it is a process of organisational transformation. The success of the endeavour is directly tied to gaining the support and commitment of stakeholders, and how effectively it is implemented throughout the organisation. It’s crucial to adapt your organisation’s culture in parallel with the technical changes.
• Selecting the most appropriate partner is crucial. Your organisation may have some expertise and ability to conduct CRQ, but this is unlikely to be sufficient. An experienced partner can offer a dedicated team with deep knowledge of the risk landscape and risk mitigation strategies, ensuring CRQ is effectively implemented and not relegated while other urgent issues are being addressed.
• Be wary of solutions that aren’t transparent. Many vendors provide tools that essentially use Monte Carlo simulations to predict risk. However, the data used in these simulations is vital – it must be relevant and of good quality in relation to your business. Ensure your CRQ partner thoroughly understands your threat landscape, your assets, and your business objectives, and that both of you are clear on the variables to be included in the CRQ analysis.

The cyber threat landscape has reached a point where all organisations need to take cyber risk very seriously. The days when a subjective approach and a finger in the air helped to defend IT systems, data, and reputations are long over. It’s time to make CRQ a top strategic priority and link CRW to the organisational risk. The board and the CISO need to work together to ensure risk is minimised and the organisation can thrive whatever cyber threats are thrown at them.

Discover how to strengthen cyber security and optimise budget

You’re welcome to download Quorum Cyber’s free whitepaper, Mastering Cost Management and Reduction: A Guide for Chief Information Security Officers, to explore how to improve outcomes and results in any organisation in any sector.

Explore Quorum Cyber’s services

To learn more about the company’s cyber security and data security services, please visit the services section of the website, or contact us on 0333 444 0041 or via [email protected].