In a new article for Dark Reading, How Well Is Your Organization Investing Its Cybersecurity Dollars?, Jack Jones, RiskLens' Chief Risk Scientist, gives as cogent an explanation as you’ll find for cyber risk quantification as the foundation of a cybersecurity program.
“Every dollar spent on cybersecurity is a dollar that can’t be spent on the many other business imperatives with which an organization must deal,” writes Jack, the creator of the FAIR model for quantitative cyber and operational risk analysis. “We must be able to effectively measure and communicate the value proposition of our cybersecurity efforts.”
But that’s not the norm, Jack notes. “Most of the time, we appear to lean on implicit proxies for measuring risk reduction—things like the NIST CSF… These are useful directional references that generally mean an organization has less risk. The problem is that we don’t know how much less risk.”
To start setting a value on risk reduction, Jack advises, clearly define the loss-event scenario: for example, what data, which threat community, via which vector. Jack gives a detailed example from his CISO days of how he ran the cost-benefit analysis for a go/no go decision on implementing data at rest encryption for a huge credit card database. “By not simply telling my executives that we had to bite the compliance bullet, the organization was able to save over a million dollars.”
If you’re new to quantitative risk analysis, read How Well Is Your Organization Investing Its Cybersecurity Dollars? in Dark Reading for a quick, effective introduction to the FAIR way of thinking about risk.