Company Investment
Risk is inherent to the enterprise world but difficult to assess and measure. In particular Cyber risk, which keep increasing despite IT security budget augmentation. In order to decide on which IT controls they should funnel resources and expertise, enterprises like risk management need to quantify cyber risk in financial terms.
Explanations
Discussions about risk are always difficult in a world of miscalculated risk. And more so in the enterprise when the definition of the word entrepreneur shows that risk is actually inherent to the nature of the enterprise world.
Indeed, when proposing their services or products to the market, all organizations figure in more or less reliable ways their risk/reward ratio (cf: Airbus CFO Hans Peter Ring on pricing risk) in order to weight their odds of success. No risk taking means no or little reward. That is why Enterprise Risk Experts like James Lam and others have long advocated the use of risk-adjusted ratio to measure profitability (i.e. performance) of an organization rather than the standard ROA (return on Assets).
Today, organizations face a formidable new set of risks with cyber risks. As Ginny Rometty explained in 2015, if data is the new natural resource in the era of the data economy, "then cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world.” As a result, cyber security investments keep soaring, fuelled by vendor hype and ever more media exposure . While some may argue that with increased maturity, investment growth will eventually slow down, Gartner and other analysts continue to report on rapid growth of investments in security solutions in 2018 - 19 (+8,7% YoY).
Yet, despite increasing budget, companies are dealing with on-going cyber attacks (including a growing number of successful ones) and struggle to find and properly use their human and financial resources to resist.
In the past few years, Enterprise have improved their risk management using frameworks like NIST, ISO 27005, EBIOS and others. But while helpful in guiding the set-up of a risk management program, those standards remain non prescriptive in the quantification of risk. As a consequence, many companies still focus on being compliant with best practices rather than measure (ie quantify) which IT controls are effectively most relevant to their situation.
According to Gartner, that is changing and the analysts advise to put the emphasis back onto risk and transition from Governance, Risk and Compliance (GRC with its heavy emphasis on compliance) to Integrated Risk Management (IRM which puts back risk in the limelight). In parallel, more new regulations like GDPR and CCPA keep on putting pressure on Security and Risk Manager to explain, in financial terms, to their business leaders how much risk they have and how much less they will have as a consequence of further cybersecurity investments.