There are many frameworks and standards that can point the way towards implementing security controls in an organisation. But for risk managers, the challenge is that frameworks such as NIST CSF, ISO 27001 or HITRUST, though useful, were not designed to be measured quantitatively. This can make it harder to make a case for investing in controls that are proven to reduce risk.
This has been the recurring theme of a three-part webinar series, held by C-Risk together with its partner RiskLens. The third webinar focused on quantifying control efficiency, and how this plays into making better decisions about reducing risk.
A poll held during the webinar revealed a 50/50 split among attendees over whether their organisation quantifies risk in financial terms. One half already do so or have started this. The other half was evenly split between those that aren’t doing so, or are showing some interest but have yet to begin.
Gaining leadership support for quantifying cyber risk
What’s more, another poll revealed that many organisations lack support, particularly at a leadership level, for measuring cyber risk in financial terms, also known as cyber risk quantification (CRQ).
One way to overcome this obstacle is to work with the business to identify an important strategic decision and use that to introduce quantitative risk assessment.
“Applying CRQ to use cases which are linked to strategic decisions is one way to get more engagement and support from a top-down perspective,” says Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter.
“By working with your business teams using this approach, you can get a lot closer to driving decisions in the organisation and understanding how business works and getting more support for information security governance,” he adds.
Other best practice steps shared on the webinar include:
Jacqueline Lebo, a senior risk consultant with RiskLens LLC, advises using rapid risk assessment techniques to gauge what information the organisation is most concerned about, and map out the risks from there.
“If it’s the crown jewel, they need it to be available and need it to be secure – the confidential information can’t leak,” she says.
Choosing controls to reduce risk effectively
She gives the example of a US healthcare group that has acquired multiple smaller provider practices and is developing an integration strategy to optimise productivity, patient wellbeing and running costs.
Jacqueline was able to demonstrate how, by understanding risk in financial terms, the healthcare group was able to see that choosing one control over another would reduce risk by $2 for every $1 spent.
Zack Sumney, senior risk consultant with RiskLens, adds that developing a common threat portfolio facing assets helps organisations to see which controls work best.
“We need that baseline and definition of how controls are reducing risks and how effective they will be at different sites,” he says.
Risk managers can then use this information to build a return on investment case based on cost or efficacy and see where they’re achieving the biggest reduction of risk.
related to cybersecurity and Cyber Risk Quantification (CRQ)