The Gartner Summit Confirmed It: Cyber Risk Quantification’s Time Is Now

June 28, 2019  Steve Ward

The annual Gartner Security and Risk Management Summit is a great place to separate the signal from the noise on where the cybersecurity community is headed, and as we heard it from the 2019 Summit sessions and the Gartner analysts themselves, the signal was clear:

We have entered a new era in the understanding of the measurement and management of cyber risk. The move to cyber risk quantification (CRQ) is well on its way. The old heat maps based on qualitative “measurement” that have kept organizations in the dark about the financial impact of cyber events are just not good enough anymore.


Steve Ward is the Vice President for Marketing at RiskLens

At RiskLens, we’ve heard this message building, in the conversations we have with our CISO clients, the growing news coverage of quantification in the Wall Street Journal and other media, and through our sponsorship of the FAIR Institute, where membership has grown by 25% this year. RiskLens is the only platform built on FAIR, the de facto standard model for cyber and technology risk quantification.

And the lineup of session topics were an indication of what was to come at the Summit, to name a few:

“Rethink Risk Assessments for the Digital Future”

“Crossfire: Which Works Better — Quantitative or Qualitative Risk Assessment”

“A Successful Data Security Strategy Needs a Financial Risk Assessment"

But we weren’t expecting the unequivocal support we heard from multiple Gartner experts the RiskLens team had the pleasure to sit down with.  As with any new, emerging segment in security, there’s the possibility for the market to get confused on what is true cyber risk quantification — but Gartner has a firm grasp on what’s important and is providing guidance to the security world pointing in the direction of FAIR.

We met with analysts who advise both enterprises on technology acquisition and tech companies like RiskLens to make sure they are truly helping enterprises find the value they need, including Khushbu Pratap, who leads Gartner's IT risk, audit and cybersecurity risk management research, and John A. Wheeler, global research leader for risk management technology solutions and professional services.

We were incredibly excited to hear Khushbu describe the sheer number of inquiries she receives about cyber risk quantification and that, in her words, 100% of the conversations around CRQ focusses on FAIR — also that her advice to clients is to start by looking at the FAIR Institute and RiskLens for support in training on the FAIR model.

RiskLens is the licensed trainer in FAIR for the FAIR Institute. The RiskLens Academy has trained hundreds in recent months and we receive dozens of inquiries daily on training.

In our meeting with John, we outlined our strategy to help organizations develop CRQ programs, starting with education and training and on through supporting the community connection via the FAIR Institute.

The journey to building a program may seem daunting but having assisted many enterprises (including dozens of companies in the Fortune 1,000, among them some of the largest in the world), we have seen that it’s a fairly rapid process that delivers ongoing value in the first 12 months. The Professional Services division of RiskLens is entirely dedicated to enabling enterprises to get on the pathway to a program that delivers against the values they are searching for such as:

  • Communication to the board and the business
  • Understanding top risks and risk appetite
  • Prioritizing security investments (for example, to meet the recommendations of NIST CSF or the requirements to the New York Department of Financial Services’ cybersecurity regulations).

It was great to hear feedback from John about the positive reviews he has heard about RiskLens services—and that he believes RiskLens is the right way to achieve cyber risk quantification.

In the coming days, RiskLens will announce its overall product roadmap vision, which will highlight the way we see risk quantification evolving over the next few years. Risk quantification will act as the ultimate support capability for cybersecurity teams across all important decisions. CRQ’s time is now — watch us for more soon (and watch the FAIR Institute for potential announcements relating to support for the FAIR enablement journey).