Yesterday’s solutions can’t solve today’s problems - let alone tomorrow’s. Global organizations continue to spend billions on cybersecurity yet feel less confident in their cyber risk approach. Why? The current approach to Cyber Risk Management is broken.
We explore eight major events that propelled Cyber Risk Quantification and Management into the spotlight during 2022 demonstrating that it is no longer an option, but the solution.
- Landmark SEC Proposals Trigger a Global Response to Broken Cyber Risk Management
In March 2022, the US Securities and Exchange Commission (SEC) proposed landmark amendments to its existing rules to enforce better preparedness and resilience among global organizations. The proposals are significant. The move reflects grave concerns that global organizations are not managing cybersecurity risk effectively. This pressure has led to increased scrutiny of cyber risk management in the boardroom and highlights the challenge of demonstrating an accurate, real-time understanding of cyber risk posture.
- International Regulatory Developments Shape the Future of Cyber Risk Management
Following the SEC proposals, we’ve observed increased regulatory pressure across the globe - particularly within Europe and AsiaPac. This includes:
- During 2022, the European Union (EU) released proposals for a Cyber Resilience Act to bolster cybersecurity rules and ensure increased security of hardware and software products.
- In 2023, the EU will introduce the Digital Operational Resilience Act (DORA), targeting internal cybersecurity processes and resilience measures within global organizations.
- In AsiaPac, the Australian Cyber Security Agency (ACSC) released its annual report and sent a strong reminder that boards should include cyber resilience as part of their statutory responsibilities. The expanded Security of Critical Infrastructure (SOCI) Act will require critical infrastructure organizations to comply with new cyber risk management obligations.
The immediate future seems clear: global organizations must adopt a more proactive approach to cyber risk reporting and disclosure of security gaps and breaches. However, rather than being voluntary – as it has been until now – leaders should expect to see these activities become legal requirements.
- The Board’s Role in Cybersecurity Risk Management Became More Critical
In the aftermath of regulations placing the onus of cybersecurity risk and breaches squarely on the corporate boardroom, CXOs will have to play a more active role in cybersecurity. While the SEC hasn’t formally adopted any amendments, the proposed changes include reporting on board oversight regarding cyber risk and management practices. In other words, cybersecurity is no longer the sole obligation of security experts. Cyber risk simply cannot be ignored. The business implications of a cyber attack can cripple a business and the ramifications on growth, revenue, and business continuity are significant. The threat landscape is more diverse and complex than ever before so it's in the Board's best interests to prevent losses.
- Cybersecurity is Now Everyone’s Responsibility, Not Just The CISO’s
Nearly three-quarters of US CEOs in PwC’s 25th Annual Global CEO Survey said they are “extremely concerned” about cyber threats - ranking it higher than the pandemic. As a result, C-Suite executives are working more closely together to tackle cyber risk. A good example is the working relationship between CISO and CFO. If CISOs can identify the risk, CFOs can help to quantify it using long-trusted methods that have gone through hundreds of years of refinement. The CISO’s role is also continuing to evolve from a technical subject matter expert to an enterprise risk manager. Using CRQM, CISOs can meet new expectations to translate security data into business impact, including the likelihood and cost of a potential breach.
- ‘Halve the Cost of a Data Breach with Risk Quantification’ – IBM x Ponemon Institute
IBM and Ponemon Institute’s latest Cost of a Data Breach Report suggests that organizations can potentially halve the cost of a data breach if they leverage Risk Quantification techniques. This marks the first time Cyber Risk Quantification has been included in the report’s 17-year history. Advanced CRQM technologies couple the benefits of CRQM with security AI and automation, further enhancing its role in improving cyber risk management. The inclusion of CRQ is likely due to it becoming more actionable, advanced, and easily implemented.
- The Cyber Insurance Industry Needs Quantifiable Reforms
Premiums have skyrocketed - by almost 30% since 2021, and coverage is increasingly difficult to secure. Premiums are based on point-in-time, quickly-dated, manual assessments of cyber risk that do not accurately reflect an organization’s cyber risk posture. The answer to these outdated methodologies lies in risk standardization. As a company seeking coverage, CRQM gives you real-time, accurate reports of your cyber risk posture by using tailored tools embedded in your environment that help you negotiate the best possible deal.
- Leading Industry Analysts, Experts, and Thought Leaders Acknowledge the Need for CRQM
Forrester, in their most recent report from January 28th, 2022, opens with “transform cyber risk management with cyber risk quantification,” acknowledging the need for CRQM to combat the cyber fatigue experienced by many boards.
Gartner reports that 70% of SRM leaders plan to adopt CRQ solutions by the end of this year. IDC states that CRQ solutions will be the new way to measure and manage cyber risks as ambiguous risk reporting won’t work for boardrooms.
- CRQM Becomes More Accessible – and SAFE Leads The Way
We’ve helped leaders worldwide overcome the challenges of implementing the Factor Analysis of Information Risk (FAIR) framework by taking advantage of CRQM. We’re proud to have developed an effective approach to implement CRQM in under 4 weeks. We were voted the best risk management solution at the 2022 CISO Choice Awards, and in August we released 2 free assessment tools, including an Interactive Cost Model and Return on Security Investment Calculator module.
“There’s a dearth of detailed knowledge about this type of issue, even among cyber insurers, according to IDC Research Director Phil Harris. “While the tools could obviously become a potential sales channel for Safe Security, the broader benefit of raising awareness and provoking companies to take a harder look at their overall security postures is one that could be felt more widely. It should, at the very least, keep the interest of the person using the calculator to ask, ‘Why? Not enough people are asking that question these days, even cyber insurers —as a cyber insurer, I’d want to know what the client’s security posture is.”
Want to see how SAFE takes the guesswork out of your cybersecurity strategy? Request a session with one of our CRQM experts who will help you navigate the journey towards effective, real-time Cyber Risk Quantification and Management.