How to gain executive support for measuring cyber risk

Quantified Cyber Risk Assessments

This has been the recurring theme of a three-part webinar series, held by C-Risk together with its partner RiskLens (now part of Safe Security). The third webinar focused on quantifying control efficiency, and how this plays into making better decisions about reducing risk.

‍

A poll held during the webinar revealed a 50/50 split among attendees over whether their organization quantifies risk in financial terms. One half already do so or have started this. The other half was evenly split between those that aren’t doing so, or are showing some interest but have yet to begin.

‍

Gaining leadership support for quantifying cyber risk

What’s more, another poll revealed that many organisations lack support, particularly at a leadership level, for measuring cyber risk in financial terms, also known as cyber risk quantification (CRQ).

‍

One way to overcome this obstacle is to work with the business to identify an important strategic decision and use that to introduce quantitative risk assessment.

‍

“Applying CRQ to use cases which are linked to strategic decisions is one way to get more engagement and support from a top-down perspective,” says Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter.

‍

“By working with your business teams using this approach, you can get a lot closer to driving decisions in the organization and understanding how business works and getting more support for information security governance,” he adds.

Other best practice steps shared on the webinar include:

• Always think about the purpose of a risk assessment: what decisions are at stake?
• Get as much information as possible about the overall environment and the digital assets.
• Scope risk scenarios that support decisions.

Jacqueline Lebo, a senior risk consultant with RiskLens LLC, advises using rapid risk assessment techniques to gauge what information the organization is most concerned about, and to map out the risks from there.

‍

“If it’s the crown jewel, they need it to be available and need it to be secure – the confidential information can’t leak,” she says.

Choosing controls to reduce risk effectively

She gives the example of a US healthcare group that has acquired multiple smaller provider practices and is developing an integration strategy to optimize productivity, patient wellbeing and running costs.

‍

Jacqueline was able to demonstrate how, by understanding risk in financial terms, the healthcare group was able to see that choosing one control over another would reduce risk by $2 for every $1 spent.

Zack Sumney, senior risk consultant with RiskLens, adds that developing a common threat portfolio facing assets helps organisations to see which controls work best.

‍

“We need that baseline and definition of how controls are reducing risks and how effective they will be at different sites,” he says.

‍

Risk managers can then use this information to build a return on investment case based on cost or efficacy and see where they’re achieving the biggest reduction of risk.

‍

Operationalize control assessments

Many organizations still have not operationalized their control assessments, leaving CISOs and risk managers reliant on time-intensive, manual processes. This ad-hoc approach limits efficiency and fails to provide ongoing insight into the performance of controls. Without regular, automated assessments, it's nearly impossible to measure the effectiveness of controls over time or pinpoint where they are most effective.

‍

To address these challenges, C-Risk works with CISOs to implement the SAFE One CRQ platform and then get teams onboarded quickly. With SAFE One, organizations are able to automate quantified risk assessments, enabling continuous monitoring and providing actionable insights to enhance control effectiveness and reduce risk across the board.

‍