“Quantitative risk analysis is the single most effective way to align security with business priorities and establish credibility with teams.” — U.S.-based CISO

As organizations continue to leverage the latest technologies and move toward even greater interconnectivity in the pursuit of growth, business strategy and cybersecurity continue to converge. Cybersecurity concerns now extend beyond the traditional IT areas of responsibility, impacting all levels of an organization.

Cybersecurity risks are on the rise around the globe, and ransomware attacks are creating frequent headlines. There is heightened awareness concerning data security at the highest levels as governments continue to tighten regulations and issue statements regarding the importance of cybersecurity. Organizations are at risk for business interruption, impact to brand reputation and significant regulatory fines.

The COVID-19 pandemic prompted a definitive shift in the way organizations work. They have had to accelerate cloud adoption while simultaneously transitioning their staff to a work-from-home business environment. This has resulted in cybersecurity teams facing additional challenges, not just from the external threats they seek to deny, but also from the internal environments they need to manage.

As the dependency between business strategy and cybersecurity continues to grow, so too does the need for communicating cyber risk across the organization. The cybersecurity conversation needs to change, from one of fear and speculation to one that informs business decisions in support of organizational goals.

Bridging the Gap Between Security and Strategic Business Objectives

Security strategy must be aligned with business objectives. Budgets need to be justified and the return on investment (ROI) related to security spending initiatives should be considered.

As Robert Kolasky, Director of National Risk Management Center in the CISA, stated in his introduction to the NACD Cyber-Risk Oversight Handbook: “Too often cybersecurity has been treated as a ‘too hard to measure’ business problem, but we are now making progress in quantifying risk.” The Handbook further states that: “Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.”

Business stakeholders rely on their security partners to help enable them to make the right decisions. Making informed decisions based on qualitative information alone can be difficult — especially if it is communicated in terms that are unfamiliar. Using “security speak” when talking to business leaders can result in valuable insights getting lost in translation. Risk quantification removes this barrier and bridges the gap between security and the business by getting both sides to speak a common language.

Risk quantification translates the technical threats, vulnerabilities and controls of day-to-day cybersecurity and data protection into strategic business risks backed by financial figures. It empowers technical teams to communicate at the executive level, enabling leadership to evaluate the potential impact of cyber risks along with the economic tradeoffs that exist among security initiatives. Risk quantification elevates the narrative around cybersecurity from a tactical conversation about security dynamics into a strategic conversation enabling informed decision-making that protects value and supports business objectives.

Risk Quantification: The FAIR Model

IBM’s approach to risk quantification begins with the FAIR (Factor Analysis of Information Risk) methodology. The FAIR model offers an industry-standard approach to risk quantification, establishing standardized terms to facilitate a common language.

Quantifying cyber risk with the FAIR model provides a logical and consistent way to identify, define, evaluate and forecast risk by measuring the probability and financial impact of a given scenario. The steps outlined in the FAIR analysis process offer security leaders a mechanism to change the conversation around cybersecurity risk and allows them to engage with less technical stakeholders across the business. This paves the way for businesses to prioritize risk, calculate the ROI on implementing controls and understand how remediation efforts can help manage or reduce exposure. FAIR produces information with which executive leadership and board members are familiar: straightforward financial figures similar to the image below.

FAIR has quickly become a widely accepted global standard leveraged by organizations across many industries to realize the benefits of risk quantification. Currently, 45% of Fortune 1000 companies are utilizing the FAIR model in some capacity. Standards and regulatory bodies, such as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and the Securities and Exchange Commission (SEC), have incorporated risk quantification into their best practices. This adoption supports change agents in companies who are championing the need to alter their current approach, beginning the journey to risk quantification and communicating this cultural shift to their organization.

Beginning Your Risk Quantification Journey

Leaders today face greater security challenges than ever before. A glance at the 2021 Cost of a Data Breach Report illustrates the potential impact associated with these challenges and the responsibility it places on leadership. At IBM Security, we hear these concerns from security leaders, the C-suite and the Board. Pain points are reflected in recurring questions along the lines of, “Are we doing enough? How do we avoid becoming the next headline?” and “How do I build a business case for security?”

IBM Security provides risk quantitation solutions to address such challenges. Our clients have benefited firsthand from adopting a quantitative approach to cyber risk. As noted above, a U.S.-based CISO recently told us that, “Quantitative risk analysis is the single most effective way to align security with business priorities and establish credibility with teams.” IBM helps organizations navigate the interplay of people, process and technology needed to adopt risk quantification and answer the question, “Are we doing enough?”

It is time to prioritize resources toward the most critical cyber risks facing businesses while optimizing security operations. IBM Security can help you identify, assess and manage cyber risk using a quantified approach. Learn more about our Risk Quantification Services to begin your journey to quantitative risk management.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today