Quantifying Risks to Make the Right Cybersecurity Investments – Source: www.databreachtoday.com

Leadership & Executive Communication
,
Next-Generation Technologies & Secure Development
,
Threat Detection

CRQ Can Help Organizations Optimize Investment, Improve Resilience, Manage Threats

Chris Novak, Senior Director, Verizon Cyber Security Consulting

•
September 3, 2024    

In May 2023, a ransomware gang calling itself CL0P abused a zero-day exploit of the MOVEit file transfer tool, stealing data from government, public and financial organizations worldwide.

See Also: Introduction to Elastic Security: Modernizing security operations

The software company quickly issued a patch, but the damage was extensive and profound, affecting tens of millions of people in one of the largest file transfer attacks in history. Among the institutions affected were accounting and financial giants, along with a major U.S. airline, among others.

As the fallout from this attack continues, questions remain: What could have been done to prevent the attacks? What is the plan to prevent such attacks in the future?

Putting a Price Tag on Cyber Risks

When executives fully understand the potential impact and cost of cyberthreats, they can better assign the necessary resources to combat them. This improves operational resilience and ensures the organization remains agile enough to respond to evolving technological, economic and regulatory changes.

At its core, the urgency for organizations to better understand the risks and costs of cyberattacks is driven by rising cyberattacks and their impacts. For example, the estimated cost of cybercrime is forecast to increase from $8.15 trillion in 2023 to $13.82 trillion in 2028, according to Statista.

Verizon’s 2024 Data Breach Investigations Report reveals a substantial growth in attacks exploiting vulnerabilities to initiate breaches, showing a 180% increase from the 2023 DBIR, with attacks primarily involving ransomware and other extortion-related threat actors. Web applications were the main vector for these initial entry points, which is the approach also used in the attack on MOVEit.

To help improve their understanding of risks, many organizations are turning to Cyber Risk Quantification, which emphasizes a quantified, data-driven methodology to help CISOs and business leaders better understand, manage and lower cybersecurity risks. CRQ is a crucial tool as cybersecurity threats evolve in complexity and sophistication, as it can help to contextualize an organization’s understanding of potential financial impacts of cyberthreats.

Advantages of CRQ

Here are a few key drivers behind the need for CRQ today:

• Technological dependency: Given the always-increasing global reliance on connected technology, attack surfaces as well as breach impacts are magnified. It’s recommended that organizations quantify risks to increase the targeted allocation of resources to protect critical assets.
• Efficiency demands: Many organizations face the challenge of doing more with less. A data-driven approach such as CRQ helps optimize investments and resilience objectives, helping to allocate resources where they are most needed.
• Cyber insurance management: A CRQ process can generate data that may be useful to organizations and their cyber insurance providers in managing policy costs and coverage through more targeted risk assessment.
• Regulatory pressure: Rising regulatory oversight may require leaders to adjust their cybersecurity incident reporting. CRQ can help organizations streamline reporting demands by providing quantifiable metrics.

Organizations can leverage CRQ analysis to help develop a strategically managed cyber risks program. It can help security teams estimate the value and effectiveness of different risk mitigation strategies, asset by asset. By understanding which investments can yield the best ROI based on the estimated costs of potential risks, organizations can make better decisions about the software, infrastructure, or vendors that can help resolve their biggest cybersecurity challenges.

The Right Way to Gain Leadership Support

CISOs face challenges in communicating technical risks to nontechnical stakeholders. CRQ helps bridge the gap by translating cyber risks into financial metrics that are more likely to resonate with executives and board members. This can facilitate better decision-making data, which can help cybersecurity stakeholders and leadership teams align more easily on cybersecurity initiatives.

CRQ data can also influence cybersecurity insurance premiums and coverage enhancements. Insurers can consider estimated quantifiable CRQ generated risk data as part of their underwriting process to tailor policies, potentially reducing premiums and improving coverage terms.

Verizon’s CRQ, for example, helps CISOs provide relevant stakeholders with estimated financial information that can facilitate better-informed, data-driven decisions about cybersecurity investments, according to Chris Novak, senior director of cybersecurity consulting at Verizon.

Novak said better communication is critical, especially for U.S. organizations that face increasingly stringent SEC requirements. “The C-suite and the board are starting to recognize there’s a hot seat in the room,” Novak said. “CISOs may face additional scrutiny and liability risks. That makes a big difference.”

CISOs often don’t have an adequate budget to address cybersecurity risks, but they still must attest to the company’s security posture in regulatory reporting. One well-publicized tech company cyberattack included victims from across the U.S. federal government. The CISO faced potential legal penalties “that would have been a first following a cybersecurity incident,” Novak said.

Rising scrutiny could lead to highly experienced CISOs “backing away from certain jobs unless they can secure a higher level of support and engagement from executive leaders during their conversations about risks,” he added.

Embracing a quantified approach to cybersecurity risk management, along with analyzing real-world examples, can clear the way to more productive conversations. CRQ can help “bridge the gap between technical teams and executive leaders, fostering a more unified approach to cybersecurity,” Novak said.

The Impact of AI and CRQ

Artificial intelligence has revolutionized CRQ by helping enhance the accuracy, efficiency and predictive capabilities of risk assessments. AI-driven risk models analyze historical data to forecast future cyberthreats, helping organizations prioritize cybersecurity investments where they are most needed.

AI also helps quantify financial impacts of cyber risks by simulating different threat scenarios and the potential consequences. Insurers are already embracing AI to analyze and tailor policies specifically to the risks presented by individual organizations. “This approach not only may help to improve policy accuracy but also may help businesses obtain better coverage terms,” Novak said.

Organizations can leverage CRQ analysis to help optimize their cybersecurity investments, improve operational resilience, manage evolving threats and respond to regulatory reporting requirements.

To learn more about Verizon’s CRQ framework and how it can help to improve an organization’s cybersecurity investments and resilience, read the latest insights here.