Close Menu
TechCentralTechCentral

    Subscribe to the newsletter

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Facebook X (Twitter) YouTube LinkedIn
    WhatsApp Facebook X (Twitter) LinkedIn YouTube
    TechCentralTechCentral
    • News

      Siemens is battling Big Tech for AI supremacy in factories

      24 June 2025

      Tesla shares soar after first robo-taxi rides hit the road

      24 June 2025

      ‘System offline’ scourge to end, says Schreiber – but industry must pay

      23 June 2025

      Why the spectrum gold rush may soon be over

      23 June 2025

      Tech stability key to getting South Africa off damaging financial grey list

      23 June 2025
    • World

      Mira Murati’s Thinking Machines hits $10-billion valuation

      24 June 2025

      Watch | Starship rocket explodes in setback to Musk’s Mars mission

      19 June 2025

      Trump Mobile dials into politics, profit and patriarchy

      17 June 2025

      Samsung plots health data hub to link users and doctors in real time

      17 June 2025

      Beijing’s chip champions blacklisted by Taiwan

      16 June 2025
    • In-depth

      Meta bets $72-billion on AI – and investors love it

      17 June 2025

      MultiChoice may unbundle SuperSport from DStv

      12 June 2025

      Grok promised bias-free chat. Then came the edits

      2 June 2025

      Digital fortress: We go inside JB5, Teraco’s giant new AI-ready data centre

      30 May 2025

      Sam Altman and Jony Ive’s big bet to out-Apple Apple

      22 May 2025
    • TCS

      TechCentral Nexus S0E3: Behind Takealot’s revenue surge

      23 June 2025

      TCS | South Africa’s Sociable wants to make social media social again

      23 June 2025

      TCS+ | AfriGIS’s Helen Hulett on how tech can help resolve South Africa’s water crisis

      18 June 2025

      TechCentral Nexus S0E2: South Africa’s digital battlefield

      16 June 2025

      TechCentral Nexus S0E1: Starlink, BEE and a new leader at Vodacom

      8 June 2025
    • Opinion

      South Africa pioneered drone laws a decade ago – now it must catch up

      17 June 2025

      AI and the future of ICT distribution

      16 June 2025

      Singapore soared – why can’t we? Lessons South Africa refuses to learn

      13 June 2025

      Beyond the box: why IT distribution depends on real partnerships

      2 June 2025

      South Africa’s next crisis? Being offline in an AI-driven world

      2 June 2025
    • Company Hubs
      • Africa Data Centres
      • AfriGIS
      • Altron Digital Business
      • Altron Document Solutions
      • Altron Group
      • Arctic Wolf
      • AvertITD
      • Braintree
      • CallMiner
      • CambriLearn
      • CYBER1 Solutions
      • Digicloud Africa
      • Digimune
      • Domains.co.za
      • ESET
      • Euphoria Telecom
      • Incredible Business
      • iONLINE
      • Iris Network Systems
      • LSD Open
      • NEC XON
      • Network Platforms
      • Next DLP
      • Ovations
      • Paracon
      • Paratus
      • Q-KON
      • SevenC
      • SkyWire
      • Solid8 Technologies
      • Telit Cinterion
      • Tenable
      • Vertiv
      • Videri Digital
      • Wipro
      • Workday
    • Sections
      • AI and machine learning
      • Banking
      • Broadcasting and Media
      • Cloud services
      • Contact centres and CX
      • Cryptocurrencies
      • Education and skills
      • Electronics and hardware
      • Energy and sustainability
      • Enterprise software
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Lifestyle
      • Motoring
      • Public sector
      • Retail and e-commerce
      • Science
      • SMEs and start-ups
      • Social media
      • Talent and leadership
      • Telecoms
    • Events
    • Advertise
    TechCentralTechCentral
    Home » Company News » Quantifying cyber efforts will help CISOs secure board support: Forrester

    Quantifying cyber efforts will help CISOs secure board support: Forrester

    By Forrester16 March 2022
    Twitter LinkedIn Facebook WhatsApp Email Telegram Copy Link
    News Alerts
    WhatsApp

    Even as cybersecurity ascends the list of board-level concerns, directors are already dealing with what Forrester describes as “a chronic case of cyber fatigue”. In a new report, “Transform Cyber Risk Management with Cyber Risk Quantification” (CRQ), the company looks at practical actions for those hoping to tap into the quantifiable certainty offered by CRQ.

    Years of increasing spending without quantifiable results have soured board members on the topic. Chief information security officers (CISOs) are now turning to the emerging CRQ technologies to quantify cyber risk for the board,” says Forrester in the report, which examines how board cyber fatigue requires a fundamental rethink and revolution in cyber-risk management.

    In 2021, boards of directors were consumed with cyber resilience and ransomware preparedness. According to the “Forrester Infographic: Global Security Budgets in 2022”, security accounted for 34% of the average IT budget in 2021, continuing the upward trajectory, evidenced by a 16% compounded annual growth rate (CAGR) of security budget increase since 2018.

    However, Forrester believes that while detection and response as well as increased cloud adoption will dominate 2022 budgets, security leaders can expect greater examination of spending, along with demands for mature business cases from board members.

    Investment in preventative cybersecurity is difficult to qualify

    For years, boards have asked CISOs to quantify their efforts to determine if they have adequately invested in security to meet tolerance for financial loss experienced due to a cyber risk.

    However, Forrester points out that the traditional methods of ordinal scoring mechanisms and 5×5 heatmaps can be subjective. What’s more, executives tend to view security efforts as a cost centre, which McKay and his colleagues note can lead to the following problems:

    • In the absence of a common risk language, CISOs revert to heatmaps which rely on qualitative descriptions.
    • Qualitative risk analysis lacks the business context boards are used to.
    • CISOs see their role as protecting organisational data, rather than seeing their efforts as protecting the ability of the company to generate revenue.

    Forrester says CRQ can be viewed as a “Rosetta Stone” for translating security outcomes into more relevant financial terms, defining CRQ as:

    Tools that utilise mathematical modelling techniques to render the business impact of cyber risk in financial terms. Cyber-risk quantification models combine financial loss data with cyber-threat event data to provide a financial estimate of loss based on historical data. Organisations use cyber-risk quantification to make risk transfer decisions and cybersecurity alignment with business priorities more efficient.

    Common language aligns CISO and board conversations

    Forrester points out that by introducing a common taxonomy, security professionals are better equipped to contribute to the business conversation. By translating the cyber-risk impact into financial terms, CISOs can identify the biggest risks based on what has the biggest potential financial impacts.

    CRQ is also able to help leaders make better decisions around digital strategies. The ability to more accurately quantify the financial impact of security efforts in financial terms enables business leadership to better determine the optimum investment levels and priorities.

    CISOs are painfully aware that not every threat can be acted on. CRQ allows security professionals to prioritise risk treatment and remediation, targeting their risk mitigation strategies on the most significant risks and those that will have the biggest consequences on the organisation.

    The insight delivered by CRQ also helps business leaders calibrate their insurance coverage and pricing levels, which has become increasingly important as coverage limits continue to shrink.

    Despite its many advantages, Forrester says many of the CISOs interviewed admitted that implementing CRQ posed challenges, especially if attempting to do so on their own and without the right level of expertise, data, and executive buy-in.

    To help, Forrester has compiled some helpful tips to getting started.

    Four steps to start your CRQ journey

    1. While many organisations make use of the FAIR Institute’s methodology, Forrester encourages CISOs to investigate other approaches to see which methodology best fits their requirements. These include the Information Security Forum’s (ISF’s) Quantitative Information Risk Assessment (QIRA) approach, as well as the X-Analytics, a patented approach developed by Secure Systems Innovation Corporation (SSIC).
    2. Establishing a common risk taxonomy in your organisation can help security professionals better engage with their counterparts. It also keeps all stakeholders aligned when it comes to goals, priorities, outcomes, and threats, making it easier to execute on strategic objectives.
    3. Don’t neglect the collection and documentation of historical data. Organisations will require historical data on previous events to help them identify and model future scenarios. Examining the past can also help shed light on the costs of past and future events.
    4. Start small and deliver a successful pilot. Once stakeholders see the improved decision-making quality in a defined decision outcome, they are more likely to give CRQ the support it deserves and get behind a bigger roll-out.

    Forrester ends its report by reassuring CISOs that in the next five years it expects to see significant improvements in CRQ software, which it says will further aid in the collection and integration of data and boost adoption of CRQ technologies.

    For the past decade, Forrester has been tracking and delivering deep insights into how B2B and B2C consumers interact with technology, how their behaviours and expectations evolve, and how companies should respond. For more information on how to transform cyber risk management, contact Joan Osterloh, Forrester’s authorised research partner for South and East Africa.

    • This promoted content was paid for by the party concerned


    Forrester ImproveIT Joan Osterloh
    Subscribe to TechCentral Subscribe to TechCentral
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email Copy Link
    Previous Article7 simple hacks for smarter document workflow
    Next Article MediaTek unveils Dimensity 700 and 1200 chips for African consumers

    Related Posts

    It’s time the banks did something about legacy IT

    15 August 2024

    CallMiner named only leader in Conversation Intelligence for Customer Service

    24 August 2023

    Forrester: generative AI set to transform CX

    2 August 2023
    Add A Comment

    Comments are closed.

    Company News

    IoT connectivity management in South Africa – expert insights

    23 June 2025

    Let’s reimagine Joburg using the power of tech, data and AI

    23 June 2025

    Netstar doubles down on global markets while backing SA growth

    23 June 2025
    Opinion

    South Africa pioneered drone laws a decade ago – now it must catch up

    17 June 2025

    AI and the future of ICT distribution

    16 June 2025

    Singapore soared – why can’t we? Lessons South Africa refuses to learn

    13 June 2025

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2025 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.