There was a definite theme reverberating through the halls and meeting rooms at the Moscone – and echoing in the Twittersphere – this week at RSAC ’18. That theme can be paraphrased as “Security needs to align with the business, bridge the gap to the C-suite and Board, and empower the business to make the right decisions by completely changing the way it informs the business related to cyber risk. Cybersecurity needs to up its game and get to the business table.”
This shouldn’t come as a major surprise given the significant and immediate losses incurred by some of the world’s biggest brands late last year from the NotPetya attacks. Sure, 2017 marked more of the same in terms of “Year of the Breach” status but the NotPetya events acted as a major wake up call to Boards and C-suites as they resulted (even if accidentally) in major disruption to production/ICS environments and nearly $1b in reported losses. Business is now even more awake than it has been to the reality that cyber represents a top business risk. They’re asking questions and pushing on cybersecurity teams to deliver better answers – and they aren’t alone as regulatory bodies such as the SEC are now saying cyber risk needs to be quantified in financial terms.
The tone of the discussion at RSA could be a result of the “stick” – in other words, the feeling of pressure from these key leaders and oversight bodies. But our take is that it is a more systemic change occurring. In the past six months we’ve engaged with more companies than we have in the past two years – the list includes virtually every leading brand in North America – and increasingly around the world. What we are seeing is that forward leaning cybersecurity practitioners have recognized that they are indeed business people, that cyber is a primary business risk, and as a result they have a duty to help the business better define and manage that risk.
Whether this trend is being driven by the carrot or the stick – there seems to be consensus that we must do better!
As a result, Cyber Risk Quantification was the talk of the town at RSA. Beginning with Rohit Gai’s (President of RSA) Tuesday keynote – where he laid out a construct for driving better cybersecurity with cyber risk as the foundational pillar – extending to a lively FAIR Institute breakfast, to packed rooms at multiple cyber risk related sessions, to Thursday’s early morning RSA Archer rollout of its Cyber Risk Quantification solution (powered by RiskLens) – it seemed you couldn’t escape the discussion.
This comes as no surprise to RiskLens - we've been at the forefront of this evolving cyber risk revolution and we are seeing firsthand how leading enterprises are forever changing the way they evaluate and manage their cybersecurity strategies using a quantified risk approach.
We took the decision some time ago to standardize our Cyber Risk Quantification solution around the FAIR model. As the FAIR Institute's official Technology Advisor, we have watched as the community has swelled to nearly 3,000 members across cyber security and risk management roles – with dozens of new members joining daily. And through the FAIR training programs we have built and execute, we've seen hundreds of eyes opened to the reality that quantifying cyber risk is a critical step forward to better security...
So, we aren’t shocked with what is happening – but we are thrilled by it! We believe that Cyber Risk Quantification opens us to a new reality in cybersecurity. It enables organizations to better understand the impact of the threats they face, the probable losses they might incur, and as a result drive better strategic and tactical decisions with respect to investments in people, processes and technology.
In other words, a business level understanding of cybersecurity risk acts to inform the roadmap for where cybersecurity should be heading.
We walk away from RSAC ’18 encouraged by this change in thinking and standing at the ready to support the Cyber Risk Revolution – it is coming and we know it will be QUANTIFIED!
The Board is demanding this change, the C-suite is paralyzed without it – and cybersecurity teams will find themselves in a completely different world of collaboration and support from the business as a result of it.