A new study from the major consulting firm, the Deloitte 2019 Future of Cyber Survey, polled 500 C-level executives who oversee cybersecurity at large companies, and found that half now report they use “risk quantitative tools” to evaluate cyber investment decisions. The other half said they still “rely on the experience of their cyber leadership or cyber maturity assessments” – in other words, they’re largely flying blind.
“The cyber risk program, rather than being an ever-increasing cost to the business, is a necessary element of the investments made to achieve the strategic goals of the organization,” the Deloitte survey report says.
The result lines up with other surveys and general industry buzz that qualitative cyber risk assessment — for instance, heat maps with red, yellow and green risk ratings based on analyst opinions — once dominant, is a declining practice, while quantitative approaches are on the rise.
And Gartner analysts told our attendees at the conference that inquiries about cyber risk quantification were piling in, all of them focussed on FAIR, the model that powers the RiskLens Platform.
Another data point: Membership in the FAIR Institute, the non-profit educational organization proselytizing for risk quantification, has zoomed up more than 25% this year, heading toward 7,000 by end of 2019.
Among the drivers of the move to risk quantitative tools are the inescapable headlines about big data breaches hitting big companies (most recently Equifax, Capital One, British Airways) with material impacts; boards and senior management are demanding to know their cyber risk in financial terms — and the C-suites surveyed by Deloitte are responding.
But, to dig deeper — are those cybersecurity executives getting the cyber risk quantification they think they are?
True cyber risk quantification (CRQ), as delivered by FAIR analysis, quantifies and expresses the probability and magnitude of cyber-related loss in financial terms.
Many other self-advertised quantification solutions produce numbers but not CRQ. For instance…
Confusion in the marketplace may explain this finding from the Deloitte survey:
“Cyber teams are challenged by their ability to help the organization better prioritize cyber risk across the enterprise (15 percent), followed closely behind by lack of management alignment on priorities (14 percent) and finally, by adequate funding (13 percent).”
When you think about it, all three of those complaints about inability to prioritize or focus investment could be solved by applying true quantitative risk analysis in financial terms that guides targeting cybersecurity investment to where it will do the most to reduce risk.
As in any market shift, it pays to have a guide to navigate through competing claims. We highly recommend the FAIR Institute’s Understanding Cyber Risk Quantification: The Buyer’s Guide by Jack Jones, creator of the FAIR model.
RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.
We help organizations translate cyber risk from the technical into the economic language of business.