Every year when we publish the Cyberthreat Defense Report (2019 edition here), we highlight a handful of emerging areas/technologies that we believe have the potential to substantially enhance an organization’s ability to defend against current and future generations of cyberthreats. While a recent post covered Container Security Platforms, this one shines the light on Risk Quantification Solutions.

One of the greatest and most enduring challenges in information security has little to do (at least directly) with preventing, detecting, or responding to cyber­threats. Establishing a clear, business-based picture of an organization’s cyber risk is an elusive holy grail that, if done right, promises to deliver:

• An economic understanding of exposure to cyber risk
• A lingua franca for use by all stakeholders (from the board of directors to the people in the SecOps trenches)
• A decision-making framework for prioritizing and optimizing InfoSec activities, investments, and insurance

Emerging trust-rating solutions, with their origins in the vendor/third-party risk management arena, take a significant step forward. By spitting out an actual number – in this case, a figure analogous to a credit score – such tools open the door to a base level of impact analysis, as well as external benchmarking and monitoring of third-party risk. The result, though, is not only based on closed/proprietary algorithms and often limited to an assessment of externally available signals, but also remains relative and non-financial (precluding comparison with other forms of business risk).

Doing it right, however, is the rub. Traditional methods – for example, involving internal assessments, third-party audits, and pen tests – fall far short of the mark. They suffer not only from being resource intensive, static, and subjective, but also from “speaking” in technical terms and metrics.

More fully achieving the benefits of risk quantification will depend on finding an advanced solution that:

• Uses an open (if not standard) method and algorithms for calculating cyber risk
• Measures cyber risk as a probability (i.e., range) of potential financial losses within a given timeframe

Without the objective understanding and quantification of cyber risk such a solution can provide, no cyber risk management program can be truly effective.

If you have some thoughts to add on this topic, then please chime in. And, as always, if you’d like to engage in further discussion – or are looking for help marketing related solutions – just give us a shout. We’re here to help!