Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
July 18, 2022
One of the most talked-about topics among security and risk management professionals lately has been an in-depth approach to predicting risk related to cybersecurity. Cyber Risk Quantification (CRQ) arrived in 2006 but started to gain significant traction after the SEC published proposed cyber risk management requirements for public companies in March 2022. As responsibility for effective risk management on the part of board members increases, the ability to successfully quantify and manage corporate risk will soon move from a best practice to a requirement across many industries. While CRQ is not a new tool, many companies are barely scratching the surface when it comes to implementing a holistic risk management program such as CRQ, which uses an objective approach to quantify cyber risk related to business processes. This differs from the traditional and most common approach, which is almost always subjective and based on the limited knowledge of the assessor or stakeholders involved in the risk assessment.
According to Gartner®Predicts 2022, “by 2025, 50% of cybersecurity executives will have tried, unsuccessfully, to use cyber risk quantification to drive enterprise decision making.”
Developed by The Open Group, the FAIR (Factor Analysis of Information Risk) Model for Cyber Risk Quantification provides “enterprises the visibility required to assess and manage their cyber risk by calculating risk in clear terms understandable by the business. In other words, organizations can understand how cyber risk specifically affects revenue, profit, and other financial measures.” FAIR partners with several tool providers to provide hands-on training for individuals and organizations to learn how to implement CRQ in the most efficient and effective way possible for their unique situation. The FAIR model integrates with existing cybersecurity frameworks such as NIST, ISO and OCTAVE and quantifies risk by determining the probable magnitude and frequency of financial loss in any given scenario. The combination of these factors allows each risk to be assigned a dollar value. To translate this information into a visual that can be easily understood, a Monte Carlo simulation is used to show the financial impacts of each risk over a given period of time. This risk can then be used to justify cyber mitigation strategies based on business asset priority and expected loss exposure.
Since 2019, companies in all industries and of all sizes have become early adopters and implemented, in part or in full, an effort to use CRQ for varying purposes. The initial implementation efforts have spanned manual and first-generation tool-based approaches, and while the manual approach reportedly suffers from disappointing results, many first-generation tools are overpromised and under-delivered. Surveys from several leading security research and training firms have shown the effectiveness and pitfalls of implementing CRQ in hopes of increasing the success of the model as a new tool in the security and risk management (SRM) toolbox.
The April 2022 SANS/Kovrr survey of 98 security professionals ranging from small to large businesses showed primary uses of CRQ including 72.4% for cyber budget allocation, 70% for board reporting and governance, 67% for cyber insurance and risk transfer options, 27% for M&A cyber due diligence, and 17% for capital reserve and management strategy. The same survey noted respondents intend to use CRQ to increase routine risk assessments from an annual cycle to a more frequent approach, and 80% of surveyed organizations felt that they would use CRQ outputs to increase their investment in security spending over the next 18 months.
Gartner conducted the 2021 Cyber Risk Quantification Survey which focused on the view of 51 security and risk management leaders who have already adopted CRQ. The results from this survey show how SRM leaders primarily leverage CRQ to communicate risk. vs. proving risk as shown in the previous survey.
Source: http://solutions.ait.ac.th/ (2020)
In these two surveys, professionals noted shortcomings including the learning that success relies heavily on the data inputs. Similar survey findings show that CRQ as a process suffers from the same issues seen in the rest of the data processes.
This is a classic example of garbage in, garbage out.
Conversely, the leading insights from the SANS/Kovrr survey were that the newness of this model along with low effectiveness in lowering the cost of security in the initial efforts were key reasons CRQ was not living up to its full potential.
ThreatConnect, which partners with The FAIR Institute, provided feedback from a CRQ webinar survey of 300 cybersecurity professionals showing a breakdown of their biggest pain points with the process. These included a lengthy process cycle, too much manual work and similar business alignment issues. One surprising result was a disbelief in the data output, which may point back to the issue of quality data inputs.
FAIR and Up Guard published a simplified list of CRQ best practices, including:
A recap of survey results indicates a new practitioner should:
As a follow-on to lessons learned, The FAIR Institute provides expert guidance to avoid 5 “CRQ” methods that are not supportive of cost-effective risk management, including:
Gartner recommends the following:
The key takeaway, for us, from both surveys is that a careful and steady approach to CRQ will maximize the opportunity for success. Taking the time to cultivate and utilize existing, high-quality data, along with crafting a business-aligned risk quantification plan, will maximize your chances of success.
FAIR Model: https://www.fairinstitute.org/what-is-fair
Oliver Wyman Scenario Mapping: While Gartner does not recommend scenario-based mapping, it is worth understanding all the approaches, and scenario-based may be appropriate for some industries and applications. https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2019/aug/navigating-cyber-risk-quantification.pdf
Kovrr Technical Explanation of CRQ: https://www.kovrr.com/blog-post/what-is-cyber-risk-quantification-crq
Business Wire, 2022: https://www.businesswire.com/news/home/20220407005393/en/75-Of-Security-Pros-Use-or-Will-Implement-Cyber-Risk-Quantification-Within-18-Months-According-to-Kovrr-and-SANS-Institute
FAIR, 2021: https://www.fairinstitute.org/blog/watch-out-for-these-5-cyber-risk-quantification-methods.-they-dont-support-cost-effective-risk-management-1
FAIR, 2022: https://www.fairinstitute.org/what-is-fair
FAIR(SEC), 2022: https://www.fairinstitute.org/blog/harvard-law-sec-proposed-rules-game-changer-for-cyber-risk-reporting
Gartner, 2022: https://www.gartner.com/doc/reprints?id=1-29FBE5ZT&ct=220317&st=sb
Harvard, 2022: https://corpgov.law.harvard.edu/2022/04/11/proposed-sec-cyber-rules-a-game-changer-for-public-companies/
Kovrr, 2021: https://www.kovrr.com/blog-post/what-is-cyber-risk-quantification-crq
Oliver Wyman, 2022: https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2019/aug/navigating-cyber-risk-quantification.pdf
Reciprocity, 2021: https://reciprocity.com/blog/top-vendor-tiering-strategies-to-mitigate-cybersecurity-risks/
ThreatConnect, 2021: https://threatconnect.com/blog/the-cyber-risk-quantification-journey-its-not-as-hard-as-some-think/
Upguard, 2022: https://www.upguard.com/blog/what-is-cyber-risk-quantification#:~:text=Cyber%20Risk%20Quantification%20(CRQ)%20is,and%20vulnerabilities%20to%20address%20first.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.