As part of our series on Integrated, Digital Risk Modeling, or IDRM, we now delve into the importance of risk quantification.
Simply put, you can’t manage what you can’t measure — and most companies don’t measure cyber risk.
The failure to quantify these threats is a big part of the reason “cyber is the most dangerous weapon in the world — politically, economically and militarily.”
Only 26% of enterprises quantify cyber risk today, according to a recent PwC report. With no way to quantify risk, there is no way to predict impact. Is it any wonder ransomware attacks and data privacy breaches continue to proliferate? The hackers’ business model is outsmarting companies’ cyber defenses.
“Chances are good that neither you nor your competitors are letting data inform your cyber risk management,” the PwC report notes. “So many entities fail to benefit from today’s advanced intelligence tools and approaches. New types of internal data, data from new external sources, new data partnerships and information-sharing platforms can be important sources of business intelligence, but only about a quarter of respondents say they’re reaping benefits from these tools.”
“The other three-quarters are missing out.”
Integrated, Digital Risk Modeling is a new methodology that, among other things, quantifies the financial impact of a company’s cyber threats. It does the same for all types of enterprise risk: data privacy, regulatory compliance, operations, supply chain, etc.
IDRM goes beyond traditional risk score methodology to calculate and predict the financial impact, remediation cost, and annual loss expectancy of each factor of risk across an enterprise. It collects and analyzes the organization’s unique operational data, so the intelligence created is bespoke, accurate, and actionable.
When risks are quantified, decision-makers can immediately compare the severity of one challenge to another, set priorities, and create data-driven, remediation plans.
It also enhances transparency, accountability, customer experience, and strategic external relationships, says Phil Quade, former Chief Information Security Officer (CISO) for a major cyber security company, long-time officer in the National Security Agency, and a member of the RiskOpsAI™ Advisory Board.
“You are increasingly being held accountable and asked to be transparent about . . . your cyber security decision making and your leveraging of technologies (to) make your business decisions,” Quade says. “The strategy of leveraging data and quantifying (risks) based on insights you draw from that data . . . allows you to look backward to figure out how you got here and also to look forward to figure out . . . the right decisions and the right risks to take to enhance (your) business or enhance safety or the customer experience.”
Going further, RiskOpsAI™’s IDRM platform combines this refined picture of the potential financial impact of specific risks with industry and peer group benchmarks that provide context and perspective to risk analysis.
In the PwC survey, respondents’ top reasons for quantifying cyber risk were to:
- Continuously evaluate their risk landscape and priorities in relation to changing business objectives.
- Identify and justify improvements to protective capabilities (including adding personnel).
- Help evaluate and communicate risks in line with the company’s defined risk tolerance.
- Provide quantitative analysis to justify cyber investment requests.
“There’s an old saying about quantification: What gets measured gets done,” Quade says. “What RiskOpsAI™ is doing . . . will allow you to enhance your decision making by using hard data, finding (insights) through analytics, and presenting (this business intelligence) in ways that can enhance human decision making.”
For more from Phil Quade on risk quantification, watch this short video.
This is part of a series on the benefits of Integrated, Digital Risk Modeling. Previous installments can be found at: