As malicious attackers and nation states have increasingly weaponized the cyber domain to impact private companies, the sustainability of organizations’ ties to their cybersecurity is in question across all industries and sectors. There are many examples of companies going out of business as a result of a cyber attack, due to business leaders failing to wrap their arms around all the different ways that the ever evolving cyber threat landscape can impact their business.
Given those high stakes, cybersecurity is no longer simply an IT issue. In fact, the recent U.S. Securities and Exchange Commission (SEC) guidance on Cybersecurity Risk Management forces business leaders to move away from divorcing the cybersecurity conversation from their business conversations. The way many companies prioritize and allocate their security budget has been elevated to the board level, where any spending recommendation demands increased scrutiny and clear communication. Simply throwing money at the problem cannot be the answer. Arbitrarily defining security budgets as a percentage of the total company has also not been proven to correlate with improvements to a company’s cybersecurity posture.
At the board and C-Suite level, holistic conversations about cyber risk are made to consider how revenue, operations, people, and technology can all be impacted by cyber incidents. This shift to holistic cyber risk management requires the different organizational stakeholders to align on the facts of cyber risk even when they seek to accomplish different goals. The CISO needs to prioritize projects based on their total cost and the financial impact reduction it will bring. The CFO will need to consider the cost and financial impact of mitigating different risks, while also evaluating the total financial impact of cyber risk for annual business planning. On the other hand, risk management teams will need to understand probability of event occurrence to conduct enterprise risk.
Cyber Risk Quantification (CRQ) has emerged as a discipline to translate the implication of cybersecurity on the business into a common language which is used to discuss strategic business decisions in financial terms. CRQ is well suited for enabling holistic risk management. Understanding the financial impact of security initiatives is the only way to achieve alignment, since risk mitigation metrics need to be translated into risk reduction on the business.
Successful implementation of CRQ promises to speak the language of the CISO, CFO, and risk manager, while being grounded in the analysis that organizations need to translate risk mitigation activities back to financial impact.
Yet despite its potential, the adoption of CRQ has been slow for the following reasons:
There is a lot of data to collect. While most CRQ tools can work with only information about a company’s revenue and industry sector, simply using the minimum inputs increases the uncertainty in the output because assumptions need to be made to fill in the data gaps. CRQ tools work best when there is data on a company’s cybersecurity controls available, because the results will more closely reflect the company’s true risk. Any given company can have hundreds of data points that define its security posture–all of which are continuously evolving.
There is no widely adopted CRQ standard. Traditional CRQ approaches rely on labor intensive assessments that take weeks to complete and are based on outdated snapshots of the business. Several vendors have entered the market in recent years employing different modeling techniques, such as: value at risk, machine learning, and regressions. While these vendors have automated the risk analysis, that still leaves execs and security leaders with the need to arrive at a consensus on which framework best suits their business. In an effort to differentiate and build credibility, CRQ vendors have created yet another way of thinking about cyber risk that organizational leaders need to learn and translate.
The outputs often lack context. Cyber risk evaluation tools have evolved from imprecisely defined heat maps that describe cyber risk as high, medium, or low, to analytics that now describe cyber risk in probabilistic and financial terms. The progress has simplified the communication of cyber risk–but the challenge of how to tie that analytical output to risk management strategies is an ongoing factor. We may now understand the magnitude and likelihood of cyber risk, but the next questions remain: which issue needs to be remediated, or how much cyber insurance should be obtained?
Introducing Cyber Risk Quantification by SecurityScorecard
Businesses today have urgent challenges:
bringing the communication around cyber risk in clear, measurable terms to organizational leaders, and
incorporating cyber risk into business planning.
With this top of mind, SecurityScorecard is pleased to introduce Cyber Risk Quantification. Our goal is to simplify cyber risk discussions, optimize security investments, and create business alignment with a combination of security ratings data and risk modeling output.
We’ve taken a unique approach to delivering CRQ by partnering with industry leaders to meet our customer needs. Starting with RiskLens and ThreatConnect, SecurityScorecard now can instantly deliver industry-leading scalable risk quantification. By centering the modeling around our unmatched sets of cybersecurity data, users are able to translate our vulnerability analysis from scores and ratings into financial impact metrics that enable investment prioritization conversations throughout the entire risk lifecycle.
As an example, our partnership with ThreatConnect allows us to pass our vulnerability data into their model that is grounded in MITRE Tactics, Techniques, and Procedures. Data is then calibrated using techniques standard to statistical analysis, linear regression, and machine learning. For the CISOs analyzing their vulnerability using the MITRE ATT&CK framework, we provide an instant way to communicate the financial impact that different security issues–like outdated browsers or operating systems–can have on the organization, which then allows them to have their projects internally prioritized among other budget line items.
For the Risk Managers looking to enhance cyber risk with substantial qualitative factors, augmenting the analysis derived from monitoring cyber vulnerabilities, our partnership with RiskLens provides best-in-class FAIR analysis. FAIR analyses scale for any risk factors, apply to information and operational risk, and integrate with Enterprise Risk Management.
Our approach aims to facilitate the integration of CRQ into holistic cyber risk management, and is defined by:
Scalability – With more than 12 million companies continuously monitored, organizational leaders can obtain a comprehensive view of cyber risk within seconds. There is no need for intrusive and labor-intensive projects whose findings can quickly lose relevance as cyber risk evolves. Instead, with SecurityScorecard, collection of security posture data is automated, allowing for real-time assessment that can be performed at any moment.
CRQ Marketplace – Recognizing that different stakeholders have different communication needs, our platform supports risk quantification approaches. Our approach makes it easier for evaluating which CRQ frameworks make the most sense for individual businesses and assisting with implementing multiple views of risk to account for the inherent associated uncertainties.
Alignment of ratings data and CRQ – Ratings data answers very specific questions about a company’s security posture, and those findings are tied directly to financial impact estimates. We are taking out the guesswork that comes when aligning cybersecurity performance to business goals.
SecurityScorecard’s Cyber Risk Quantification capabilities are grounded in one source of truth– a company’s individual, unique, continuously updated security rating–a source of truth that can help ensure the sustainability of any business.
