“Quantitative risk analysis is the single most effective way to align security with business priorities and establish credibility with teams.” — U.S.-based CISO

As organizations continue to leverage the latest technologies and move toward even greater interconnectivity in the pursuit of growth, business strategy and cybersecurity continue to converge. Cybersecurity concerns now extend beyond the traditional IT areas of responsibility, impacting all levels of an organization.

Cybersecurity risks are on the rise around the globe, and ransomware attacks are creating frequent headlines. There is heightened awareness concerning data security at the highest levels as governments continue to tighten regulations and issue statements regarding the importance of cybersecurity. Organizations are at risk for business interruption, impact to brand reputation and significant regulatory fines.

The COVID-19 pandemic prompted a definitive shift in the way organizations work. They have had to accelerate cloud adoption while simultaneously transitioning their staff to a work-from-home business environment. This has resulted in cybersecurity teams facing additional challenges, not just from the external threats they seek to deny, but also from the internal environments they need to manage.

As the dependency between business strategy and cybersecurity continues to grow, so too does the need for communicating cyber risk across the organization. The cybersecurity conversation needs to change, from one of fear and speculation to one that informs business decisions in support of organizational goals.

Bridging the Gap Between Security and Strategic Business Objectives

Security strategy must be aligned with business objectives. Budgets need to be justified and the return on investment (ROI) related to security spending initiatives should be considered.

As Robert Kolasky, Director of National Risk Management Center in the CISA, stated in his introduction to the NACD Cyber-Risk Oversight Handbook: “Too often cybersecurity has been treated as a ‘too hard to measure’ business problem, but we are now making progress in quantifying risk.” The Handbook further states that: “Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, as well as specific plans associated with each approach.”

Business stakeholders rely on their security partners to help enable them to make the right decisions. Making informed decisions based on qualitative information alone can be difficult — especially if it is communicated in terms that are unfamiliar. Using “security speak” when talking to business leaders can result in valuable insights getting lost in translation. Risk quantification removes this barrier and bridges the gap between security and the business by getting both sides to speak a common language.

Risk quantification translates the technical threats, vulnerabilities and controls of day-to-day cybersecurity and data protection into strategic business risks backed by financial figures. It empowers technical teams to communicate at the executive level, enabling leadership to evaluate the potential impact of cyber risks along with the economic tradeoffs that exist among security initiatives. Risk quantification elevates the narrative around cybersecurity from a tactical conversation about security dynamics into a strategic conversation enabling informed decision-making that protects value and supports business objectives.

Risk Quantification: The FAIR Model

IBM’s approach to risk quantification begins with the FAIR (Factor Analysis of Information Risk) methodology. The FAIR model offers an industry-standard approach to risk quantification, establishing standardized terms to facilitate a common language.

Quantifying cyber risk with the FAIR model provides a logical and consistent way to identify, define, evaluate and forecast risk by measuring the probability and financial impact of a given scenario. The steps outlined in the FAIR analysis process offer security leaders a mechanism to change the conversation around cybersecurity risk and allows them to engage with less technical stakeholders across the business. This paves the way for businesses to prioritize risk, calculate the ROI on implementing controls and understand how remediation efforts can help manage or reduce exposure. FAIR produces information with which executive leadership and board members are familiar: straightforward financial figures similar to the image below.

FAIR has quickly become a widely accepted global standard leveraged by organizations across many industries to realize the benefits of risk quantification. Currently, 45% of Fortune 1000 companies are utilizing the FAIR model in some capacity. Standards and regulatory bodies, such as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and the Securities and Exchange Commission (SEC), have incorporated risk quantification into their best practices. This adoption supports change agents in companies who are championing the need to alter their current approach, beginning the journey to risk quantification and communicating this cultural shift to their organization.

Beginning Your Risk Quantification Journey

Leaders today face greater security challenges than ever before. A glance at the 2021 Cost of a Data Breach Report illustrates the potential impact associated with these challenges and the responsibility it places on leadership. At IBM Security, we hear these concerns from security leaders, the C-suite and the Board. Pain points are reflected in recurring questions along the lines of, “Are we doing enough? How do we avoid becoming the next headline?” and “How do I build a business case for security?”

IBM Security provides risk quantitation solutions to address such challenges. Our clients have benefited firsthand from adopting a quantitative approach to cyber risk. As noted above, a U.S.-based CISO recently told us that, “Quantitative risk analysis is the single most effective way to align security with business priorities and establish credibility with teams.” IBM helps organizations navigate the interplay of people, process and technology needed to adopt risk quantification and answer the question, “Are we doing enough?”

It is time to prioritize resources toward the most critical cyber risks facing businesses while optimizing security operations. IBM Security can help you identify, assess and manage cyber risk using a quantified approach. Learn more about our Risk Quantification Services to begin your journey to quantitative risk management.