“Quantitative risk analysis is the single most effective way to align security with business priorities and establish credibility with teams.” — U.S.-based CISO

As organizations continue to leverage the latest technologies and move toward even greater interconnectivity in the pursuit of growth, business strategy and cybersecurity continue to converge. Cybersecurity concerns now extend beyond the traditional IT areas of responsibility, impacting all levels of an organization.

Cybersecurity risks are on the rise around the globe, and ransomware attacks are creating frequent headlines. There is heightened awareness concerning data security at the highest levels as governments continue to tighten regulations and issue statements regarding the importance of cybersecurity. Organizations are at risk for business interruption, impact to brand reputation and significant regulatory fines.

The COVID-19 pandemic prompted a definitive shift in the way organizations work. They have had to accelerate cloud adoption while simultaneously transitioning their staff to a work-from-home business environment. This has resulted in cybersecurity teams facing additional challenges, not just from the external threats they seek to deny, but also from the internal environments they need to manage.

As the dependency between business strategy and cybersecurity continues to grow, so too does the need for communicating cyber risk across the organization. The cybersecurity conversation needs to change, from one of fear and speculation to one that informs business decisions in support of organizational goals.

Bridging the Gap Between Security and Strategic Business Objectives

Security strategy must be aligned with business objectives. Budgets need to be justified and the return on investment (ROI) related to security spending initiatives should be considered.

As Robert Kolasky, Director of National Risk Management Center in the CISA, stated in his introduction to the NACD Cyber-Risk Oversight Handbook: “Too often cybersecurity has been treated as a ‘too hard to measure’ business problem, but we are now making progress in quantifying risk.” The Handbook further states that: “Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.”

Business stakeholders rely on their security partners to help enable them to make the right decisions. Making informed decisions based on qualitative information alone can be difficult — especially if it is communicated in terms that are unfamiliar. Using “security speak” when talking to business leaders can result in valuable insights getting lost in translation. Risk quantification removes this barrier and bridges the gap between security and the business by getting both sides to speak a common language.

Risk quantification translates the technical threats, vulnerabilities and controls of day-to-day cybersecurity and data protection into strategic business risks backed by financial figures. It empowers technical teams to communicate at the executive level, enabling leadership to evaluate the potential impact of cyber risks along with the economic tradeoffs that exist among security initiatives. Risk quantification elevates the narrative around cybersecurity from a tactical conversation about security dynamics into a strategic conversation enabling informed decision-making that protects value and supports business objectives.

Risk Quantification: The FAIR Model

IBM’s approach to risk quantification begins with the FAIR (Factor Analysis of Information Risk) methodology. The FAIR model offers an industry-standard approach to risk quantification, establishing standardized terms to facilitate a common language.

Quantifying cyber risk with the FAIR model provides a logical and consistent way to identify, define, evaluate and forecast risk by measuring the probability and financial impact of a given scenario. The steps outlined in the FAIR analysis process offer security leaders a mechanism to change the conversation around cybersecurity risk and allows them to engage with less technical stakeholders across the business. This paves the way for businesses to prioritize risk, calculate the ROI on implementing controls and understand how remediation efforts can help manage or reduce exposure. FAIR produces information with which executive leadership and board members are familiar: straightforward financial figures similar to the image below.

FAIR has quickly become a widely accepted global standard leveraged by organizations across many industries to realize the benefits of risk quantification. Currently, 45% of Fortune 1000 companies are utilizing the FAIR model in some capacity. Standards and regulatory bodies, such as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and the Securities and Exchange Commission (SEC), have incorporated risk quantification into their best practices. This adoption supports change agents in companies who are championing the need to alter their current approach, beginning the journey to risk quantification and communicating this cultural shift to their organization.

Beginning Your Risk Quantification Journey

Leaders today face greater security challenges than ever before. A glance at the 2021 Cost of a Data Breach Report illustrates the potential impact associated with these challenges and the responsibility it places on leadership. At IBM Security, we hear these concerns from security leaders, the C-suite and the Board. Pain points are reflected in recurring questions along the lines of, “Are we doing enough? How do we avoid becoming the next headline?” and “How do I build a business case for security?”

IBM Security provides risk quantitation solutions to address such challenges. Our clients have benefited firsthand from adopting a quantitative approach to cyber risk. As noted above, a U.S.-based CISO recently told us that, “Quantitative risk analysis is the single most effective way to align security with business priorities and establish credibility with teams.” IBM helps organizations navigate the interplay of people, process and technology needed to adopt risk quantification and answer the question, “Are we doing enough?”

It is time to prioritize resources toward the most critical cyber risks facing businesses while optimizing security operations. IBM Security can help you identify, assess and manage cyber risk using a quantified approach. Learn more about our Risk Quantification Services to begin your journey to quantitative risk management.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…