We live in a risky world. We are consciously assessing risk in almost every moment of our lives. There’s a risk of getting into a car and going to the grocery store or even eating sugar. One could argue life is a continuous cycle of risk assessment and mitigation, to a point where we don't realize it. Most of us don’t quantify our risk unless it’s a clear and present danger. You won't walk down a dark alley because the threat is imminent. Eating fast food often is just as risky, but the effects could be decades away.
Business is no different. There’s risk in our supply chain, brand, reputation, employees, intellectual property and more. Companies tend to focus on the clear and present danger, and rightly so. As with the recent Microsoft Exchange zero-day vulnerability, most companies quickly patched their email servers. Even the FBI jumped in and, with a court order, used the vulnerability to remove malicious code and shells. But what about hidden risks, the blind spots in our cybersecurity footprint? How do we quantify these risks?
Enter Cyber Risk Quantification (CRQ)
We are inundated with an endless amount of cybersecurity incidents, from ransomware, data breaches, and insider threats, and threats are increasing (300% during COVID-19). The IBM Cost of a Data Breach Report 2020 showed the average breach to be $3.6m.
If you're thinking, "what does this mean to my company and me?" you’re not alone. We can quantify so many things in our business, like the cost of acquiring a customer, a support ticket and the Net Promoter Score. But cybersecurity is nebulous and riddled with fear and anxiety.
CRQ looks at the impact of cyber risk on businesses, in dollars, and more intangible yet fundamental areas like customer satisfaction, employee engagement, reputation management, brand protection or supply chain management. CRQ allows executives to make intelligent and prioritized decisions on cybersecurity investments because they target specific aspects of the business.
CRQ is a new way of looking at risk, considering the technical aspects, and relating risk to the business by tracking metrics.
How Do We Implement CRQ?
CRQ is simple in theory but is time-consuming and manually intensive to implement and maintain. However, new platforms automate CRQ and can quickly be implemented and "always-on" to ensure accurate data. Leaders must understand CRQ is not a "project" but a continuous process.
There are two parts to CRQ — technical risk and business risk. Technical risk is the foundation of business risk. You can't quantify business risk without determining technical risks.
Businesses can implement CRQ in three steps:
1. Select a Destination. Think of a destination as a goal that you can measure. Use a common framework, like NIST 800-53 (multiple levels to choose from), NIST Cybersecurity Framework (CSF), or ISO 27002. Understand your organization may need multiple frameworks to cover your regulatory requirements and general cybersecurity needs. Using a framework will give you a baseline of the cybersecurity "controls" you need to comply with requirements.
2. Audit Your Technology Security Stack. To understand your cybersecurity blind spots, you need to compare your "destination" (step 1) to your capabilities. An in-depth audit of your tech security stack is required, including vendors, products, versions and capabilities of each version. Once you understand the capabilities of your security ecosystem, you can compare these capabilities to the "controls" and see exactly where gaps and overlaps are. Gaps are controls that are not met and are introducing risk, while overlaps are areas where you might be overspending and are ripe for optimization. A nice byproduct of this step is you will clearly see where you need to shift and optimize investments.
3. Develop Business Metrics for CRQ. The steps above are building blocks to true CRQ. By completing step 2, you can quantify your technical risk. However, CRQ is also about quantifying your business risk. Regulate and aggregate the "controls'' you defined in step 1 to a set of meaningful metrics to your organization, like customer experience, asset management, third-party or partners and data integrity. If you’re a multinational company, think about geopolitical risk or climate change. Business metrics are contextual to each organization. Once you establish your metrics and map cybersecurity controls to those metrics, you can "score" each metric by meeting the cybersecurity controls associated with it. At that point, you can have a baseline scale and build a trending analysis. You can see exact gaps in your cybersecurity controls and make investment decisions to increase the metric scores for particular business metrics important to your organization.
Consistent and "always-on" CRQ practice is key to quantifying cyber risk, making better business decisions, optimizing your investments, and reducing overall business risk. Like many business practices, CRQ needs to be driven by executive leadership and ingrained as part of ongoing cybersecurity hygiene.