A new study from the major consulting firm, the Deloitte 2019 Future of Cyber Survey, polled 500 C-level executives who oversee cybersecurity at large companies, and found that half now report they use “risk quantitative tools” to evaluate cyber investment decisions. The other half said they still “rely on the experience of their cyber leadership or cyber maturity assessments" – in other words, they're largely flying blind.
“The cyber risk program, rather than being an ever-increasing cost to the business, is a necessary element of the investments made to achieve the strategic goals of the organization,” the Deloitte survey report says.
The result lines up with other surveys and general industry buzz that qualitative cyber risk assessment — for instance, heat maps with red, yellow and green risk ratings based on analyst opinions — once dominant, is a declining practice, while quantitative approaches are on the rise.
- “Rethink Risk Assessments for the Digital Future
- “Crossfire: Which Works Better — Quantitative or Qualitative Risk Assessment”
- “A Successful Data Security Strategy Needs a Financial Risk Assessment”
And Gartner analysts told our attendees at the conference that inquiries about cyber risk quantification were piling in, all of them focussed on FAIR, the model that powers the RiskLens Platform.
Another data point: Membership in the FAIR Institute, the non-profit educational organization proselytizing for risk quantification, has zoomed up more than 25% this year, heading toward 7,000 by end of 2019.
Among the drivers of the move to risk quantitative tools are the inescapable headlines about big data breaches hitting big companies (most recently Equifax, Capital One, British Airways) with material impacts; boards and senior management are demanding to know their cyber risk in financial terms — and the C-suites surveyed by Deloitte are responding.
But, to dig deeper — are those cybersecurity executives getting the cyber risk quantification they think they are?
True cyber risk quantification (CRQ), as delivered by FAIR analysis, quantifies and expresses the probability and magnitude of cyber-related loss in financial terms.
Many other self-advertised quantification solutions produce numbers but not CRQ. For instance…
- Simple 5x5 ordinal scales for probability and impact that can be multiplied to arrive at a “risk score” really just use numbers to label buckets of risks based on the opinions of analysts. There’s no way to know if a “1” is less likely to occur than a “2”.
- CVSS scores rate weaknesses in security technology defenses but not risk. They can’t produce useful information about frequency of attacks or magnitude of impact.
- Credit-like score may include assessments of the organization’s control conditions, data traffic patterns, industry threat-related data and other factors which are run through an algorithm to produce a numeric rating. The implication is that a higher or lower number indicates more or less risk — but that’s just an implication, not an actual measure of risk.
Confusion in the marketplace may explain this finding from the Deloitte survey:
“Cyber teams are challenged by their ability to help the organization better prioritize cyber risk across the enterprise (15 percent), followed closely behind by lack of management alignment on priorities (14 percent) and finally, by adequate funding (13 percent).”
When you think about it, all three of those complaints about inability to prioritize or focus investment could be solved by applying true quantitative risk analysis in financial terms that guides targeting cybersecurity investment to where it will do the most to reduce risk.
As in any market shift, it pays to have a guide to navigate through competing claims. We highly recommend the FAIR Institute's Understanding Cyber Risk Quantification: The Buyer's Guide by Jack Jones, creator of the FAIR model.