“By 2025, 50% of cybersecurity leaders will have tried, unsuccessfully, to use cyber risk quantification to drive enterprise decision making.”
Author James Graham is Vice President, Marketing for RiskLens
“Gartner research indicates that 62% of cyber risk quantification adopters cite soft gains in credibility and cyber risk awareness, but only 36% have achieved action-based results, including reducing risk, saving money or actual decision influence. Security leaders should focus firepower on quantification that decision makers ask for, instead of producing self-directed analyses they have to persuade the business to care about.”
Despite the negative connotations of that prediction, Gartner’s analysis is essentially that in the next few years, security leaders have a 50-50 chance at making CRQ work for their organizations. As the leader in the cyber risk quantification space, and having helped hundreds of organizations successfully adopt, implement and operationalize CRQ with Factor Analysis of Information Risk (FAIR™), this statistic is not surprising.
The main challenge with CRQ is that it fundamentally changes an organization’s perspectives on how to measure and manage cybersecurity risk. It’s not something that comes instantly to any organization or cybersecurity culture, and we find that the 50% of organizations who take the right approach to CRQ find more success than the 50% who do not.
While we wait for additional research details and industry reactions around Gartner’s latest prediction, we have some thoughts about why that 50% of CISOs have…and will fail at implementing CRQ:
In the growing CRQ marketplace, models are everything. Quantifying risk requires a basis for the Value-at-Risk calculation, and there are currently a number of ways that CRQ vendors help their clients measure cyber risk. Some other providers adhere to the FAIR model like we do, but others offer proprietary models or simple scores as the basis for making million-dollar cybersecurity decisions. The thing is, the board is going to ask you about those numbers eventually, and without the proper model to explain your results, anything less than an open, defensible cyber risk model cannot withstand this scrutiny. Read more about FAIR.
Establishing an enterprise-wide programmatic approach is the end-game of most RiskLens customers, but they don’t all start out that way. Cybersecurity funding is often a zero-sum game, and sometimes there simply aren’t enough resources to start big. In these cases, other approaches must be considered in the short term, where the program champion can show the value of CRQ to their teams and stakeholders, until a deeper scope can be properly resourced. Given our unmatched expertise in CRQ reporting, we often work with under-resourced organizations using our RiskLens Pro Managed Service, which gives CISOs all the benefits of CRQ reporting and decision-making, without the need for in-house resources or expertise. This approach has given many a resource-strapped organization just the right amount of data and quantified assessment to make the case for a bigger program. Read more about our RiskLens Pro managed service and our Executive Board Reporting Service use case on the RiskLens | Cyber Risk Management site.
In conclusion, there are likely myriad reasons that half of the CRQ programs cited by Gartner have failed and will continue to fail. I’ve only mentioned a few here in the hopes that someone recognizes their own challenge and sees a potential fix in the resources I’ve outlined. To me, the bright spot in Gartner’s stat really is that if 50% of CISOs are failing at CRQ, there has to be another 50% that are succeeding. The goal of RiskLens is to meet as much of that other half as possible, so we can get started in changing this stat for the better.