How to gain executive support for measuring cyber risk
There are many frameworks and standards that point the way towards implementing security controls in an organization. But for risk managers, the challenge is that cybersecurity frameworks such as NIST CSF, ISO 27001 or HITRUST, though useful, were not designed to measure controls quantitatively. This can make it harder to make a case for investing in controls that are proven to reduce risk.
Quantified Cyber Risk Assessments
This has been the recurring theme of a three-part webinar series, held by C-Risk together with its partner RiskLens (now part of Safe Security). The third webinar focused on quantifying control efficiency, and how this plays into making better decisions about reducing risk.
A poll held during the webinar revealed a 50/50 split among attendees over whether their organization quantifies risk in financial terms. One half already do so or have started this. The other half was evenly split between those that aren’t doing so, or are showing some interest but have yet to begin.
Gaining leadership support for quantifying cyber risk
What’s more, another poll revealed that many organisations lack support, particularly at a leadership level, for measuring cyber risk in financial terms, also known as cyber risk quantification (CRQ).
One way to overcome this obstacle is to work with the business to identify an important strategic decision and use that to introduce quantitative risk assessment.
“Applying CRQ to use cases which are linked to strategic decisions is one way to get more engagement and support from a top-down perspective,” says Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter.
“By working with your business teams using this approach, you can get a lot closer to driving decisions in the organization and understanding how business works and getting more support for information security governance,” he adds.
