Making the Right Investments by Quantifying your RisksIT GRC/Cybersecurity | 3 Min Read |22 July 21|by Hrishikesh Choudhari
Organizations today need to optimize their risk rather than focusing on avoiding the risk – to know which risk should be accepted to enable business success and create value.
When it comes to cyber risks, one of the biggest challenges security professionals face is communicating the associated financial impact to the decision-makers. Assigning a dollar value to cyber risks will better equip the executive management and board to prioritize the risks, drive a stronger alignment between business priorities and cyber investments, and ultimately, make risk-aware decisions.
At MetricStream GRC Summit June 2021 Edition, Gavin Grounds from Verizon joined us for an exciting discussion on how organizations can thrive on risk to get a competitive edge.
In this blog, we have highlighted the interesting points from the discussion on how quantification can help in making the right security investment decisions.
What are some of the key challenges?
Regardless of whether it is a large organization or a small, one of the common challenges across all organizations in the area of cybersecurity is prioritization, Gavin said.
Organizations today face thousands of risks and a key challenge is to ascertain which of those is the biggest priority. Likewise, they might have hundreds of controls and they need to define the importance of these controls and determine how much to spend on each control. Every dollar they spend on these controls should be justified with the benefits/advantages realized. Because they have a finite budget, they need to use it in the most optimal manner.
How to start with Cyber Risk Quantification?
The primary objective for the CISO is to drive overall risk down and drive better-informed business decisions. And, cyber risk quantification can greatly simplify the process by quantifying risks in monetary value. As an example, suppose you got a business opportunity of $100M with $1M cyber risk, you can easily see the overall value of $99M and make your decision to go ahead or not. But if you represent your cyber risk in a way like 3 are critical, 5 are high, and 3 are mid risks, in that case, it's difficult to calculate the overall business value of that business opportunity and you might miss the first-mover opportunity on that business.
Prasad Sabbineni, EVP, Product at MetricStream, added that CRQ is the natural extension of the quantitative assessment (high, mid, and low-risk heatmaps) that organizations have been doing as all these factors serve as input to the model to calculate the dollar value of the associated risk. When asked about how organizations can start with CRQ, Prasad suggested that organizations can start small – select key risk areas and apply this quantitative technique to see the results. Once they understand the results and their value, they can gradually expand to other risk areas.
How MetricStream helped one of the largest telecom companies in their decision making
With MetricStream Cyber Risk Quantification (CRQ), a U.S. telco giant was able to make their cybersecurity decisions 50% faster by quantifying the dollar Impact of cyber risks.
MetricStream helped the company harmonize its risk management techniques and methods by driving towards a common risk score across cyber, operational risk, and resilience teams. This score is based on consistent factors and is grounded in a business context.
This combined risk score helps cyber teams accurately weigh the cost-benefit of either a single risk mitigation strategy or a combination of them. It also helps them increase the agility and speed of remediation efforts. MetricStream also provides a top-down and bottom-up 360-degree view of cyber risk.
Top-down views take risk assessment information from the business in terms of dollars—for example, how much it costs to keep an order processing system up and running. Meanwhile, bottom-up views provide data on the costs of mitigating vulnerabilities.
CRQ is important for every organization irrespective of the size and industry. With the interconnected fast-paced digital economy, organizations are exposed to many new risks. Prioritization and communication of risk will help in better decision-making and provide a competitive advantage in the market.