Once again the fun crowd of the The CISO Society gathered together to contemplate best practices around Risk Measurement. Below are some notes from the conversation. ? FAIR is, not surprisingly, the most common way of approaching Cyber Risk Quantification (CRQ) ? When in doubt, your Business Impact Analysis is your best source to determine criticality and impact of any specific system or process ? To model industry average costs for a breach the research from The Ponemon Institute can be helpful ? Don't beat yourself up if you can't quantify it because a reasonable qualitative measure (high, medium, low) is at the end of the day more useful than an untrustworthy quantitative dollar figure ? Some have seen lower insurance premiums as a result of having a mature Risk Management program This aside, the real heart of the discussion was that ???? ??????'?? ???????? ?? ?????? ?????????????? ???? ???????? ???? ???? ???????? ?? ?????????????? ???????????????? ?????? ???? ?????????????????? ???????????????????? ???? ?????? ????????????????. Suggestions of meaningful outcomes were: 1. Revenue 2. Operating Cost 3. Capital Efficiency (insurance fits in here) 4. Enterprise Value The discussion was enlightening for me personally. Several of us are looking forward to reading the 2nd edition of "How to Measure Anything in Cybersecurity Risk" which comes out in April. I'll try to revisit this topic periodically as I apply these lessons to the real world. Thanks to Jim Rutt for moderating the discussion. #riskmanagement #crq #informationsecurity CC: Matthew Sharp, Jason Cenamor
Great Summary. I have one question on the one bullet: "Don't beat yourself up if you can't quantify it because a reasonable qualitative measure (high, medium, low) is at the end of the day more useful than an untrustworthy quantitative dollar figure" How does the above square with what Doug Hubbard presents in his latest version of The Problem With Risk Management and How to Fix It, and Richard and Doug's upcoming 2nd edition to How to Measure Cyber Risk? Perhaps if I understood the context of this bullet, I would not be asking my question.
Nice write-up Duane Gran! Of course, check out the data sources that Kovrr enumerates in their informative blog - https://www.kovrr.com/reports/a-sneak-peak-into-kovrrs-data-sources And some relevant blog posts on SEC Proposed rules on cybersecurity - https://www.sec.gov/rules/proposed/2022/33-11038.pdf And naturally keep an eye on Richard Seiersen and Doug Hubbard who are trailblazing a path for us all!
I gave a talk at RSA a few years ago using SWOT to relate cyber security to the business. It can be a Strength, Weakness, Opportunity, or Threat for a business. I think that makes a lot of sense in that it affects the core business rather than being a core objective itself.
This is a challenge: communicating in a meaningful way to the executives. In one former role, I could show them the textbook FAIR risk scenario. Another organization wanted RYG but within their established fiscal framework. Still another wanted some of the scenario description but with LMH - again within their established fiscal framework.
You are right it is not the CRQ analysis, but being able to provide the CRQ in words the business understands. They understand dollars, but many times the write up is still a technical writeup.
Happy to see no ALE...
Chief Risk Technology Officer @ Qualys | xCISO: Twilio, GE, LendingClub | Author: How To Measure Anything In Cybersecurity Risk etc...
1 年Thanks for sharing. I just want to encourage people to beat themselves up a small bit (in a friendly way) on the quantitative stuffs. It's likely a problem with the concept of measurement and not so much the methods. This sounds ironic, but let's aim for accuracy over precision. The problem of HML is that it makes us think we are being accurate...when in reality....we may be doing nothing or even worse. Lot's of scholarship on this last point (as our book points out).....