How SIRAcon Changed My Mind About Measuring Cyber Risk

I used to think measuring cyber risk was simple. You'd make a nice heat map, slap some "high-medium-low" labels on it, and call it a day. Then I walked into a presentation by Tony Martin-Vegue at Society of Information Risk Analysts (SIRA) conference that turned my whole perspective upside down.

For years, we security folks had been doing things the traditional way. We'd sit in meetings, arguing about whether something was a "high" or "medium" risk, each person bringing their own definition to the table. Red squares on heat maps looked scary enough to get attention, but when it came time to justify why we needed another million dollars for security tools? That's when things got awkward.

The problem wasn't just that we were being subjective. It was worse than that. Different teams would assess the same risks differently. Business units couldn't compare their risks meaningfully. And trying to show ROI for security investments? Good luck with that.

But that Society of Information Risk Analysts (SIRA) talk opened my eyes to something better: Cyber Risk Quantification (CRQ). Instead of arguing about colors on a map, what if we could talk about cyber risk in the language business people actually care about - money?

The FAIR (Factor Analysis of Information Risk) framework emerged as the star player in this new approach. It wasn't just about slapping dollar signs on risks; it was about breaking down complex threats into measurable pieces. Suddenly, we could estimate potential losses, compare different security strategies, and have real conversations with executives about risk.

The timing couldn't have been better. These days, boards are asking tougher questions about cybersecurity. Regulations are getting stricter. Cybercrime isn't getting cheaper. Organizations need better ways to decide where to put their security dollars, and gut feelings just don't cut it anymore.

Of course, switching to quantitative risk assessment isn't all sunshine and rainbows. Good data can be hard to come by at first. People need training. And let's be honest - some folks just don't like change. But there are ways around these hurdles. Start small. Focus on your critical business assets. Use the data you have while building better ways to collect more. Most importantly, show some quick wins to build momentum.

• For organizations ready to make the leap, here's what works:
• Set clear goals from the start.
• Pick a framework that fits your culture.
• Don't try to boil the ocean - start with a pilot program and grow from there.
• Focus on getting quality data for a few key metrics rather than trying to measure everything at once.
• Invest in your people - they're the ones who'll make this successful.

Looking ahead (and I've seen enough to be confident about this), quantitative risk assessment isn't just a trend - it's the future of our field. Organizations that get on board now will make smarter security decisions, spend their resources more wisely, and have an easier time getting buy-in for important security initiatives.

That conference talk didn't just change my mind about risk measurement. It showed me where our industry needed to go. As cyber threats get more complex and boards demand more accountability, we need to move past colored squares and subjective labels. We need hard numbers, solid analysis, and clear financial insights.

I went into that presentation a skeptic. I came out convinced that quantitative risk assessment wasn't just a better way - it was the only way forward. Years later, I'm more certain than ever that I was right.

Thanks for reading Tech Anchorman ! Subscribe for free to receive new posts and support my work.