“Quantitative risk analysis is the single most effective way to align security with business priorities and establish credibility with teams.” — U.S.-based CISO

As organizations continue to leverage the latest technologies and move toward even greater interconnectivity in the pursuit of growth, business strategy and cybersecurity continue to converge. Cybersecurity concerns now extend beyond the traditional IT areas of responsibility, impacting all levels of an organization.

Cybersecurity risks are on the rise around the globe, and ransomware attacks are creating frequent headlines. There is heightened awareness concerning data security at the highest levels as governments continue to tighten regulations and issue statements regarding the importance of cybersecurity. Organizations are at risk for business interruption, impact to brand reputation and significant regulatory fines.

The COVID-19 pandemic prompted a definitive shift in the way organizations work. They have had to accelerate cloud adoption while simultaneously transitioning their staff to a work-from-home business environment. This has resulted in cybersecurity teams facing additional challenges, not just from the external threats they seek to deny, but also from the internal environments they need to manage.

As the dependency between business strategy and cybersecurity continues to grow, so too does the need for communicating cyber risk across the organization. The cybersecurity conversation needs to change, from one of fear and speculation to one that informs business decisions in support of organizational goals.

Bridging the Gap Between Security and Strategic Business Objectives

Security strategy must be aligned with business objectives. Budgets need to be justified and the return on investment (ROI) related to security spending initiatives should be considered.

As Robert Kolasky, Director of National Risk Management Center in the CISA, stated in his introduction to the NACD Cyber-Risk Oversight Handbook: “Too often cybersecurity has been treated as a ‘too hard to measure’ business problem, but we are now making progress in quantifying risk.” The Handbook further states that: “Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.”

Business stakeholders rely on their security partners to help enable them to make the right decisions. Making informed decisions based on qualitative information alone can be difficult — especially if it is communicated in terms that are unfamiliar. Using “security speak” when talking to business leaders can result in valuable insights getting lost in translation. Risk quantification removes this barrier and bridges the gap between security and the business by getting both sides to speak a common language.

Risk quantification translates the technical threats, vulnerabilities and controls of day-to-day cybersecurity and data protection into strategic business risks backed by financial figures. It empowers technical teams to communicate at the executive level, enabling leadership to evaluate the potential impact of cyber risks along with the economic tradeoffs that exist among security initiatives. Risk quantification elevates the narrative around cybersecurity from a tactical conversation about security dynamics into a strategic conversation enabling informed decision-making that protects value and supports business objectives.

Risk Quantification: The FAIR Model

IBM’s approach to risk quantification begins with the FAIR (Factor Analysis of Information Risk) methodology. The FAIR model offers an industry-standard approach to risk quantification, establishing standardized terms to facilitate a common language.

Quantifying cyber risk with the FAIR model provides a logical and consistent way to identify, define, evaluate and forecast risk by measuring the probability and financial impact of a given scenario. The steps outlined in the FAIR analysis process offer security leaders a mechanism to change the conversation around cybersecurity risk and allows them to engage with less technical stakeholders across the business. This paves the way for businesses to prioritize risk, calculate the ROI on implementing controls and understand how remediation efforts can help manage or reduce exposure. FAIR produces information with which executive leadership and board members are familiar: straightforward financial figures similar to the image below.

FAIR has quickly become a widely accepted global standard leveraged by organizations across many industries to realize the benefits of risk quantification. Currently, 45% of Fortune 1000 companies are utilizing the FAIR model in some capacity. Standards and regulatory bodies, such as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and the Securities and Exchange Commission (SEC), have incorporated risk quantification into their best practices. This adoption supports change agents in companies who are championing the need to alter their current approach, beginning the journey to risk quantification and communicating this cultural shift to their organization.

Beginning Your Risk Quantification Journey

Leaders today face greater security challenges than ever before. A glance at the 2021 Cost of a Data Breach Report illustrates the potential impact associated with these challenges and the responsibility it places on leadership. At IBM Security, we hear these concerns from security leaders, the C-suite and the Board. Pain points are reflected in recurring questions along the lines of, “Are we doing enough? How do we avoid becoming the next headline?” and “How do I build a business case for security?”

IBM Security provides risk quantitation solutions to address such challenges. Our clients have benefited firsthand from adopting a quantitative approach to cyber risk. As noted above, a U.S.-based CISO recently told us that, “Quantitative risk analysis is the single most effective way to align security with business priorities and establish credibility with teams.” IBM helps organizations navigate the interplay of people, process and technology needed to adopt risk quantification and answer the question, “Are we doing enough?”

It is time to prioritize resources toward the most critical cyber risks facing businesses while optimizing security operations. IBM Security can help you identify, assess and manage cyber risk using a quantified approach. Learn more about our Risk Quantification Services to begin your journey to quantitative risk management.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…