This has been the recurring theme of a three-part webinar series, held by C-Risk together with its partner RiskLens. The third webinar focused on quantifying control efficiency, and how this plays into making better decisions about reducing risk.
A poll held during the webinar revealed a 50/50 split among attendees over whether their organisation quantifies risk in financial terms. One half already do so or have started this. The other half was evenly split between those that aren’t doing so, or are showing some interest but have yet to begin.
Gaining leadership support for quantifying cyber risk
What’s more, another poll revealed that many organisations lack support, particularly at a leadership level, for measuring cyber risk in financial terms, also known as cyber risk quantification (CRQ).
One way to overcome this obstacle is to work with the business to identify an important strategic decision and use that to introduce quantitative risk assessment.
“Applying CRQ to use cases which are linked to strategic decisions is one way to get more engagement and support from a top-down perspective,” says Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter.
“By working with your business teams using this approach, you can get a lot closer to driving decisions in the organisation and understanding how business works and getting more support for information security governance,” he adds.
Transform how you model, measure, and manage cyber risk.
Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience with our risk-based CRQ Solutions.
Other best practice steps shared on the webinar include:
- Always think about the purpose of a risk assessment: what decisions are at stake?
- Get as much information as possible about the overall environment and the digital assets.
- Scope risk scenarios that support decisions.
Jacqueline Lebo, a senior risk consultant with RiskLens LLC, advises using rapid risk assessment techniques to gauge what information the organisation is most concerned about, and map out the risks from there.
“If it’s the crown jewel, they need it to be available and need it to be secure – the confidential information can’t leak,” she says.
Choosing controls to reduce risk effectively
She gives the example of a US healthcare group that has acquired multiple smaller provider practices and is developing an integration strategy to optimise productivity, patient wellbeing and running costs.
Jacqueline was able to demonstrate how, by understanding risk in financial terms, the healthcare group was able to see that choosing one control over another would reduce risk by $2 for every $1 spent.
Zack Sumney, senior risk consultant with RiskLens, adds that developing a common threat portfolio facing assets helps organisations to see which controls work best.
“We need that baseline and definition of how controls are reducing risks and how effective they will be at different sites,” he says.
Risk managers can then use this information to build a return on investment case based on cost or efficacy and see where they’re achieving the biggest reduction of risk.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.