August 30, 2022
I had an exciting time attending Blackhat 2022 in Last Vegas. Blackhat is great each year, but this year was a special one because I got to meet and chat with many security leaders in person after a long time. On my flight to Las Vegas, I read the book “Connecting the Dots.” It is authored as a first person account by John Chambers, Chairman Emeritus of Cisco and a Balbix investor. There is a lot of timeless wisdom that John shares in the book, but the following excerpts stood out to me:
“I listened to customer updates every night, every weekend. You start to see patterns and get a sense of the overall health and quality of business.” He further continues, “I look at customers as my chief strategy officers in the field. They’re my best source of intelligence on where the world is going and how the market is starting to change.”
Fortunately, I was able to put these words into action through the interactions my colleagues and I had with security leaders. Via these conversations, and in some of my subsequent readings, I was able to capture some eye-opening insights about different aspects of cybersecurity, more specifically on the state of cyber risk quantification (CRQ) in the industry.
Let’s deep dive into 3 truths I discovered about the state of CRQ.
My first insight is that communicating the value of cybersecurity programs and risks objectively is no longer seen as “nice to have.” CRQ itself is no longer an unfamiliar acronym. It has turned into a top-of-the-mind priority for the various CISOs my colleagues and I spoke with.
CISOs are increasingly seeing CRQ as a way forward to dollarizing an organization’s cybersecurity posture. Gone are the days when CISOs could get away with presenting a subjective assessment of cyber risk to their boards and leadership.
This sentiment is echoed by Gartner. In their recent benchmarking report on CRQ, Gartner mentions, “faced with increasing board scrutiny and executive demand for cybersecurity services, security and risk management (SRM) leaders are turning to cyber-risk quantification (CRQ) to communicate risk, aid enterprise decision making, and prioritize cybersecurity risks with greater precision.”
I encountered a similar sentiment during one of our demo conversations with the CISO of a leading finance organization. He described how he was “struggling to provide his board and executive leadership with visibility into the organization’s overall cyber risk”. He clarified that he was looking to not only quantify the risk but also to explain how the risk was calculated and to have the ability to trace risk issues at the asset level. I have noticed similar asks in our conversations with security leaders across the industry verticals – including healthcare, manufacturing, legal, banking, airlines, technology, pharma and more. It’s not just about the quantification of cyber risks. CISOs are also focussed on traceability and actionability towards achieving better outcomes.
In my conversations with security leaders, I observed that they achieve results from CRQ solution implementation along 2 distinct dimensions: soft outcomes and hard outcomes.
Soft outcomes included building rapport with board and executive leadership and developing enhanced trust.
Hard outcomes included demonstrating real dollar benefits, convincing board of funding important projects, accelerating the remediation of risks and improving their cybersecurity insurance policies. Hard indicators often entail being able to analyze the mountains of data that security teams have. For example, a security leader from a top banking firm looking at Balbix’s dashboard said, “it looks like now we have the data – next we just need to figure out what it means.” He then expressed the desire to use CRQ to calculate mean time to remediate (in addition to expressing risk in dollar terms). It was a clear case of hard outcomes being a priority.
Gartner also supports the approach of segregating CRQ results along two dimensions. One study I read split the results into action-based results (saving money, improving security projects prioritization, adding value to security decisions) and awareness-based results (increasing credibility with senior stakeholders, aligning cyber-risk with enterprise risk, etc.). The study noted that in this phase CISOs are achieving more awareness-based results as opposed to action-based results. This insight leads to the third truth that I uncovered.
One of the security leaders I heard from shared the following:
“I will be brutally honest here and say that quantification is beyond the reach for many CISOs at this point in time. Assigning dollar values to risks, vulnerabilities and exploits… is still a subjective task at best, so when you apply a subjective measurement expecting to obtain an objective quantification, the leap of faith is just too far. It does not hold up to scrutiny when you are asked to explain how you arrived at quantified monetization. So the fallback is red/yellow/green subjective asset risk measurement. Its just the best we can do right now.”
Communicating the value of cybersecurity is a challenging task in the absence of simple, automated ways to show value. Security leaders, despite being intentional about communicating value, tend to fall short of what they are being asked to present by the board and executive leadership.
For CISOs, it is becoming increasingly important to balance the “security jargon” with what it really means for business. Typically, organizations deploy a cyber risk quantification program to provide business context. Again, let me cite Gartner. In one of their reports, they list almost a dozen methodologies that organizations use to measure CRQ including: a balanced scorecard, the opportunity cost method, cyber security program maturity, and a financial data risk assessment. Another commonly used methods to quantify cyber risk is called Factor Analysis of Information Risk (FAIR). It is designed as a framework to understand, measure, and analyze cybersecurity risk.
Most of the above-stated methods serve a purpose but also suffer from notable drawbacks. These methods tend to be qualitative instead of quantitative, involve a slew of manual calculations, and don’t provide a real-time picture of the cyber risk prevailing in an organization. We discuss some of the limitations of FAIR in our blog, UnFAIR Cyber Risk Quantification: Balbix vs. FAIR.
What CISOs really need is a method to quantify the cyber risk that:
With Balbix’s CRQ solution, security leaders can unify all of their cybersecurity data into a single comprehensive cyber risk quantification model. In doing so, everyone – from security analysts to the board – is provided with a view of cyber risk in dollars. Cyber risk can be easily reported according to business needs. CISOs can quickly demonstrate the value of their cybersecurity program and provide the ROI for future security investments. And, security teams can operationalize high velocity risk reduction and make better decisions faster.