Even as cybersecurity ascends the list of board-level concerns, directors are already dealing with what Forrester describes as “a chronic case of cyber fatigue”. In a new report, “Transform Cyber Risk Management with Cyber Risk Quantification” (CRQ), the company looks at practical actions for those hoping to tap into the quantifiable certainty offered by CRQ.

Years of increasing spending without quantifiable results have soured board members on the topic. Chief information security officers (CISOs) are now turning to the emerging CRQ technologies to quantify cyber risk for the board,” says Forrester in the report, which examines how board cyber fatigue requires a fundamental rethink and revolution in cyber-risk management.

In 2021, boards of directors were consumed with cyber resilience and ransomware preparedness. According to the “Forrester Infographic: Global Security Budgets in 2022”, security accounted for 34% of the average IT budget in 2021, continuing the upward trajectory, evidenced by a 16% compounded annual growth rate (CAGR) of security budget increase since 2018.

However, Forrester believes that while detection and response as well as increased cloud adoption will dominate 2022 budgets, security leaders can expect greater examination of spending, along with demands for mature business cases from board members.

Investment in preventative cybersecurity is difficult to qualify

For years, boards have asked CISOs to quantify their efforts to determine if they have adequately invested in security to meet tolerance for financial loss experienced due to a cyber risk.

However, Forrester points out that the traditional methods of ordinal scoring mechanisms and 5×5 heatmaps can be subjective. What’s more, executives tend to view security efforts as a cost centre, which McKay and his colleagues note can lead to the following problems:

In the absence of a common risk language, CISOs revert to heatmaps which rely on qualitative descriptions.
Qualitative risk analysis lacks the business context boards are used to.
CISOs see their role as protecting organisational data, rather than seeing their efforts as protecting the ability of the company to generate revenue.

Forrester says CRQ can be viewed as a “Rosetta Stone” for translating security outcomes into more relevant financial terms, defining CRQ as:

Tools that utilise mathematical modelling techniques to render the business impact of cyber risk in financial terms. Cyber-risk quantification models combine financial loss data with cyber-threat event data to provide a financial estimate of loss based on historical data. Organisations use cyber-risk quantification to make risk transfer decisions and cybersecurity alignment with business priorities more efficient.

Common language aligns CISO and board conversations

Forrester points out that by introducing a common taxonomy, security professionals are better equipped to contribute to the business conversation. By translating the cyber-risk impact into financial terms, CISOs can identify the biggest risks based on what has the biggest potential financial impacts.

CRQ is also able to help leaders make better decisions around digital strategies. The ability to more accurately quantify the financial impact of security efforts in financial terms enables business leadership to better determine the optimum investment levels and priorities.

CISOs are painfully aware that not every threat can be acted on. CRQ allows security professionals to prioritise risk treatment and remediation, targeting their risk mitigation strategies on the most significant risks and those that will have the biggest consequences on the organisation.

The insight delivered by CRQ also helps business leaders calibrate their insurance coverage and pricing levels, which has become increasingly important as coverage limits continue to shrink.

Despite its many advantages, Forrester says many of the CISOs interviewed admitted that implementing CRQ posed challenges, especially if attempting to do so on their own and without the right level of expertise, data, and executive buy-in.

To help, Forrester has compiled some helpful tips to getting started.

Four steps to start your CRQ journey

While many organisations make use of the FAIR Institute’s methodology, Forrester encourages CISOs to investigate other approaches to see which methodology best fits their requirements. These include the Information Security Forum’s (ISF’s) Quantitative Information Risk Assessment (QIRA) approach, as well as the X-Analytics, a patented approach developed by Secure Systems Innovation Corporation (SSIC).
Establishing a common risk taxonomy in your organisation can help security professionals better engage with their counterparts. It also keeps all stakeholders aligned when it comes to goals, priorities, outcomes, and threats, making it easier to execute on strategic objectives.
Don’t neglect the collection and documentation of historical data. Organisations will require historical data on previous events to help them identify and model future scenarios. Examining the past can also help shed light on the costs of past and future events.
Start small and deliver a successful pilot. Once stakeholders see the improved decision-making quality in a defined decision outcome, they are more likely to give CRQ the support it deserves and get behind a bigger roll-out.

Forrester ends its report by reassuring CISOs that in the next five years it expects to see significant improvements in CRQ software, which it says will further aid in the collection and integration of data and boost adoption of CRQ technologies.

For the past decade, Forrester has been tracking and delivering deep insights into how B2B and B2C consumers interact with technology, how their behaviours and expectations evolve, and how companies should respond. For more information on how to transform cyber risk management, contact Joan Osterloh, Forrester’s authorised research partner for South and East Africa.