How to align cybersecurity investment with your business risk

Many CISOs can probably relate to the old saying “half the money I spend on advertising is wasted; the trouble is, I don’t know which half”. Investing in cybersecurity controls, without the help of quantifiable data, means they are often unsure where to target their investment most effectively.

To address this, C-Risk has launched a three-part series of webinars, aiming to share best practice on how to factor IT security control performance in order to calculate cyber risk in financial terms.

When organizations have a better understanding of which controls give the most value, they can make more informed decisions about reducing their risks and minimizing outages or loss events. This way, they can align security investment more closely with business assets that are most at risk.

Christophe Forêt

An article from

Christophe Forêt
President and co-founder of C-Risk
Published
February 13, 2022
Updated
October 15, 2023
Reading time
minutes
cybersecurity investment - C-Risk

Identifying investments

The guest speaker at the webinar was Jack Jones, an authority in cyber risk management who created the FAIR standard, and who currently serves as chief Risk scientist at Risk Lens. “Organizations absolutely need to be very good at identifying where they need to be spending their time and effort,” he said. “If an organization believes it should be investing in encryption, multi-factor authentication or a SIEM solution, or whatever the case might be, it’s their responsibility to understand whether that’s a good investment or not.”

The webinar looked at the role of FAIR (Factor Analysis of Information Risk), an independent standard for quantifying and managing information risk. This has generated a lot of excitement and anticipation within the risk management community, according to Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter.

Transform how you model, measure, and manage cyber risk.

Don't wait for the inevitable cyber incident. Build a resilient, risk-based cybersecurity program with Cyber Risk Quantification.

Learn more

Assessing security controls

CISOs can use FAIR and its control analytics model, FAIR-CAM, to scope risk scenarios while assessing the performance of security controls in mitigating those risks. This way, they can understand which controls work for certain specific scenarios.

The webinar described one such scenario using a fictitious company that has an internet-facing web app that generates revenue – and is therefore valuable – but is victim to growing numbers of exploitable vulnerabilities.

“The goal is to reduce the probability of an extended outage of the service and the financial impact on the organisation… FAIR-CAM can help to identify the controls which directly or indirectly impact loss for a well scoped scenario,” said Callaghan.

Other topics covered in the webinar include:

  • How organizations can reduce their levels of vulnerability and increase resistance strength
  • How FAIR and FAIR-CAM can support risk at the operational risk level
  • How to reduce ‘noise’ of constant alerts by differentiating between vulnerabilities and exploits
  • Where to prioritize remediation efforts so you don’t suffer ‘analysis paralysis’
  • Why it’s important to develop narrowly scoped risk scenarios to inform decisions

In this article
Improve decision-making with Cyber Risk Quantification

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Book a free strategy session

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.

See all articles
budgetary challenge CISO - C-Risk

CISO Budget Challenge | C-Risk

Explore the key strategies to optimize cybersecurity spending while addressing emerging threats

Christophe Forêt

17/10/2023
FAIR standard - C-Risk

The Open FAIR™ 2 Foundation Certification | C-Risk

Demonstrates that you have gained knowledge of the terminology, structure, and basic concepts of FAIR with the Open Group FAIR™ 2 Foundation Certification

Melissa Parsons

1/10/2024
GRPD compliance cybersecurity - C-Risk

GDPR compliance and its impact on your cybersecurity strategy

Being compliant with GDPR and having efficient data protection policy is a tricky challenge that can be overcome with Cyber Risk Quantification (CRQ).

Christophe Forêt

7/6/2023

C-Risk is a recognized expert in Cyber Risk Quantification using the FAIR™ methodology. We provide CRQ solutions, advisory services and training.

Our services
CRQ as a ServiceCRQ Enablement ServicesCRQ Consulting & Advisory Services
Our solutions
SAFE One CRQ PlatformSafe One Third-Party
C-Risk Education
CRQ TrainingCRQ E-learning
Use cases
Communicate to the Board & Executive ManagementThird-Party Risk ManagementMerger & AcquisitionOptimize Cyber Insurance CoverageSize, Allocate and Justify an Infosec BudgetFacilitate Regulatory ComplianceCISO Top Risks and Controls Prioritization
Resources
BlogNewsVideos
Company
About C-RiskCareersPartnersC-Risk in the News
Your role
Executive ManagementCISORisk Professionals
Contact
Contact us
Language
Created by Sales Odyssey
Legal noticeData Privacy