How to gain executive support for measuring cyber risk

There are many frameworks and standards that can point the way towards implementing security controls in an organisation. But for risk managers, the challenge is that frameworks such as NIST CSF, ISO 27001 or HITRUST, though useful, were not designed to be measured quantitatively. This can make it harder to make a case for investing in controls that are proven to reduce risk.

Christophe Forêt

An article from

Christophe Forêt
President and co-founder of C-Risk
Published
April 3, 2023
Updated
October 17, 2023
Reading time
minutes
executive support cyber risk - C-Risk

This has been the recurring theme of a three-part webinar series, held by C-Risk together with its partner RiskLens. The third webinar focused on quantifying control efficiency, and how this plays into making better decisions about reducing risk.

A poll held during the webinar revealed a 50/50 split among attendees over whether their organisation quantifies risk in financial terms. One half already do so or have started this. The other half was evenly split between those that aren’t doing so, or are showing some interest but have yet to begin.

Gaining leadership support for quantifying cyber risk

What’s more, another poll revealed that many organisations lack support, particularly at a leadership level, for measuring cyber risk in financial terms, also known as cyber risk quantification (CRQ).

One way to overcome this obstacle is to work with the business to identify an important strategic decision and use that to introduce quantitative risk assessment.

“Applying CRQ to use cases which are linked to strategic decisions is one way to get more engagement and support from a top-down perspective,” says Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter.

“By working with your business teams using this approach, you can get a lot closer to driving decisions in the organisation and understanding how business works and getting more support for information security governance,” he adds.

Transform how you model, measure, and manage cyber risk.

Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience with our risk-based CRQ Solutions.

Other best practice steps shared on the webinar include:

  • Always think about the purpose of a risk assessment: what decisions are at stake?
  • Get as much information as possible about the overall environment and the digital assets.
  • Scope risk scenarios that support decisions.

Jacqueline Lebo, a senior risk consultant with RiskLens LLC, advises using rapid risk assessment techniques to gauge what information the organisation is most concerned about, and map out the risks from there.

“If it’s the crown jewel, they need it to be available and need it to be secure – the confidential information can’t leak,” she says.

Choosing controls to reduce risk effectively

She gives the example of a US healthcare group that has acquired multiple smaller provider practices and is developing an integration strategy to optimise productivity, patient wellbeing and running costs.

Jacqueline was able to demonstrate how, by understanding risk in financial terms, the healthcare group was able to see that choosing one control over another would reduce risk by $2 for every $1 spent.

Zack Sumney, senior risk consultant with RiskLens, adds that developing a common threat portfolio facing assets helps organisations to see which controls work best.

“We need that baseline and definition of how controls are reducing risks and how effective they will be at different sites,” he says.

Risk managers can then use this information to build a return on investment case based on cost or efficacy and see where they’re achieving the biggest reduction of risk.

In this article
Improve decision-making with Cyber Risk Quantification

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.